The study, compiled by tech journalist Nicholas Petreley concludes that Microsoft's "Get The Facts" campaign does not deal with the "real facts."
Before we go into details, we should point out that Petreley's former life includes editorial director of LinuxWorld. He is the author of the Official Fedora Companion and is co-writing Linux Desktop Hacks for O'Reilly [Oh really, Ed). Oh, and he sometimes flogs his penmanship to the Rogerister.
Petreley compared Linux and Microsoft by examining three metrics for the last 40 patches/vulnerabilities listed for Windows Server 2003 and Red Hat Linux Enterprise Linux AS v.3. He looked at the severity of security vulnerabilities, including damage potential, exploitation potential, exposure potential, and the number of critically severe vulnerabilities.
Petreley said that even by what he called "Microsoft's subjective and flawed standards", around 38 per cent of the most recent patches dealt with vulnerabilities that the software giant ranked as critical. Only 10 perc ent of the Red Hat patches and alerts addressed flaws that were rated critical.
Petreley said that the method he used means that it is impossible to use the old excuse that Windows only suffers so many attacks because there are more Windows installations than Linux, therefore Linux would be just as vulnerable if it had as many installations.
He said that if security problems boiled down to the fact that malicious hackers target the largest installed base, it follows that we should see more worms, viruses, and other malware targeting Apache and the underlying operating systems for Apache than for Windows and IIS.
If open source was inherently less secure, "then one would expect Apache and the operating systems on which it runs to suffer far more intrusions and problems than Microsoft Windows and IIS. Yet the opposite is true, his report claims.
Since Petreley released his report, it has been criticised as not exactly being a scientific way of doing things. The results have been described as circumstantial and his take on it somewhat partisan. As one Slashdot reader pointed out: "As long as something like 90% of all the 'reports' about Linux being more secure and 'mythbusting' reports are written by Linux supporters or have some business in seeing Linux succeed, I'm going to take this with a grain of salt." [Surely a dram of malt, Ed.] µ
Sign up for INQbot – a weekly roundup of the best from the INQ