"There were only eight flaws in Red Hat Enterprise Linux 3 that would be classed as 'critical' by either the Microsoft or the Red Hat severity scales," he wrote. "Of those, three-quarters were fixed in a day, and the average was eight days."
Critical flaws are generally those that allow an attacker to remotely take control of a computer system. The study did break vulnerabilities down into "high," "medium" and "low" severity ratings. Flaws graded as high severity include Red Hat and Microsoft's critical classifications and flaws that allow local users to gain access to system functions. Microsoft had far fewer high-severity flaws in both the default and minimal configurations, according to the paper.
Microsoft did fund the study, the researchers acknowledged. The software giant released a statement on Tuesday that indicated
"When Security Innovations submitted a proposal to Microsoft to research ways to measure vendor software security, we evaluated the proposal and determined that this type of analysis would be useful for our customers and funded their research," the company said in the statement. "We encourage customers to review and evaluate the data in the context of their own computing environments."
Richard Ford, a computer science professor at the Florida Institute of Technology, and Fabien Casteran, a security test engineer at Security Innovations, were the authors of the report alongside Thompson. The researchers hope to stave off criticism by publishing their methods as part of the report.
"The methodology was designed to allow others to validate it for themselves--it has to be quantitative and repeatable," Thompson said. "We didn't just want to hand people the cake; we wanted to give them a recipe as well."
While both days of risk and vulnerability counts aren't true measures of security, Thompson said that they wanted to focus on a metric that mattered to system administrators. The cumulative time they had to wait for patches is a reasonable measure, he argued.
Thompson admitted, however, that security largely depends on the expertise of the administrator.
"I think either (operating system) is infinitely securable by a skilled Jedi administrator," Thompson said. "If I have a Linux guru, then I want that guy to do the Linux web server. I am more of a Window guru, so I would use Windows."
Play video
» Ultimate virtualization blade
There are currently no comments for this post.