Microsoft: Vista more secure than Linux and Mac OS X - in the beginning
Microsoft's Security Strategy Director Jeff Jones claims that Windows Vista has more than held its own in security-related matters during the first six months – and has therefore made several Linux distributions and Mac OS X look bad in the process. The head of Microsoft's Trustworthy Computing Group asserted that Microsoft only needed to eliminate 12 vulnerabilities in Vista in the first six months, four of which were, however, critical (not including the last patch day).
In comparison, in the first six months after its release, according to Jones Red Hat had to patch its Enterprise Linux 4, Ubuntu its LTS-6.06 distribution and Novell its Suse Enterprise Desktop 10 considerably more often. Even when reduced to the key components, for example an installation without Gimp, OpenOffice and the like, Red Hat had to patch 214 holes, 62 of them critical. According to Jones' calculations, Ubuntu's performance was better: 74 vulnerabilities were eliminated, 28 of them critical. Novell, after all, had to iron out 123 vulnerabilities in its distribution, of which 44 were deemed to be critical.
Apple is listed with 60 bugs to fix in Mac OS X 10.4 during the first six months, 18 of them potentially capable of allowing code to be injected and executed. Jones also includes Windows XP in his survey. During the same period of time, there were updates for only 36 vulnerabilities, however 23 of them - almost two thirds - were critical. XP and Vista also have the advantage when considering the number of vulnerabilities discovered, but not yet eliminated, during the first six months.
In Jones' opinion, the good results can be attributed to the fact that Vista is the first operating system from Microsoft which has been developed entirely within the framework of the Security Development Lifecycle (SDL). Even in a comparison of the security of database products from Microsoft with Oracle two surveys independently arrived at the conclusion that Microsoft products are more secure, which is probably due to SDL. On the other hand it's pretty obvious, that the number of published advisories alone is a rather poor metric for the security of a product.