There has been a lot of FUD flying around stating that Microsoft Windows Vista is more secure compared to Linux. What has been actually compared are the number of vulnerabilities fixed, for a distribution of Linux and Windows Vista. Both 3 month and 6 month studies have been published, with the intention of showing Linux security in a poor light. Now, this is in no way an apples to apples comparison, because Linux contains plenty of applications. Furthermore, vulnerabilities for server applications had also been included. For an apples to apples comparison, just the OSes have to be compared. Now, I went to Secunia, and found out the vulnerabilities affecting Ubuntu 6.06 and Vista for the entire year 2007 till date. What I found was surprising, since in 2007, in the OS (which I took to be the Kernel + X windows + Desktop environment for Ubuntu with their libraries), Ubuntu had only three highly critical vulnerabilities. Windows Vista, in fact had 10. Check it out for yourself.
For this study, I checked only the highly and extremely critical vulnerabilities because these are the vulnerabilities which hackers actually use to get into the system. The moderately critical vulnerabilities give DoS attacks causing crashes, while the mildly critical vulnerabilities do not cause system compromise or require a local access. However, these mildly critical reportedvulnerabilities are increased in the Linux distros.
Note that this analysis is just for disproving the FUD. Actually, the reason why Linux is more secure is different. It has a more secure architecture, and has a wonderful tool (synaptic)which can update all the applications in a single click, an ease which is simply missing in Windows, as a result of which many people do not update their third party software properly. But more of that later. Just remember, this graph above is an argument against FUD. The real reasons for security is different. Vulnerability counts are a horribly flawed metric to compare Operating systems. Furthermore, even days-of-risk are not a good measure to campare security in Linux distributions relative to closed source OSes.
N.B: For the record, the highly and extremely critical vulnerabilities are 10 for Vista, 13 for IE7 on Vista, 3 for Windows mail and 2 for Windows media player.
For Ubuntu, all the three vulnerabilities listed above were in Open SSL (I disagree with the criticality, but that is another matter). There were other highly critical vulnerabilities in Firefox, Open Office, Poppler, imagemagick, Xine-lib , krb5 ,and w3m, for the default desktop installation. If possible, and my ISP permits (they are a stupid lot), I will give more information tomorrow. Since more patches may come in the rest of the year, I am not giving the exact numbers now.
This comparison is just from the information found in Secunia. Other security analysts may give different ratings.
Update: These packages showed highly critical vulnerabilities till 12/19/2007
Of these, only OpenSSL can be considered a part of the OS. Kerberos is not enabled, php and tcpdump are server packages and the others are applications packages (of which Koffice and thunderbird are not a part of the default installation in Ubuntu anyway). I will update the list again at the end of the year.Also note that these are advisories. An advisory may contain more than one vulnerability. e.g OpenSSL has 2 advisories but 3 vulnerabilities. For this study, vulnerability checking of the applications have also been done upstream.