CYBERSPACE — Although frequently derided over the security vulnerabilities present in its Web products, Microsoft’s security woes may not be as pronounced in reality as they are in the public imagination, according to data in the latest Internet Security Threat Report from Symantec.In its latest findings, Symantec reports that during the second half of 2006, Windows had the lowest number of security patches issued, as well as the shortest patch release time of the five operating systems monitored by Symantec during the reporting period.
The Symantec report shows that 39 vulnerabilities were reported for Windows during the second half of last year, with an average patch release time of 21 days. Of the 39 vulnerabilities identified, 12 were considered high priority or severe threats.
Red Hat Linux, by contrast, had an average patch release time of 58 days, and a total of 208 vulnerabilities found during the last six months of 2006. Only two threats of the 208 total were considered severe, however, with most (130) of the vulnerabilities rated as medium severity, and 76 other security lapses deemed low priority.
Apple saw its share of problems during the surveyed period, as well. Although only 43 total vulnerabilities were identified for Mac OS X during the reporting period, the average time for supplying a patch was 66 days – over three times as long as Microsoft’s patch development average.
The lowest performing OS types surveyed by Symantec were HP-UX from Hewlett Packard and Solaris from Sun, according to Symantec’s report. Hp-UX encountered 98 vulnerabilities during the second half of 2006, with a patch release average of 101 days. Sun reportedly issued patches slowest among the companies evaluated in the report, taking 122 days to address its 63 vulnerabilities.
Alfred Huger, vice president of engineering for the Symantec Security Center, told InternetNews.com that the biggest problem rests with Web applications, where more than 60-percent of all vulnerabilities are found. Huger said that the software and OS companies and vendors are doing “an OK job, just not stellar.”
The response to Symantec’s report on the part of the companies included in the data has been muted, with most simply taking the opportunity to reiterate their commitment to secure their products and provide timely fixes when vulnerabilities are identified.
Sun, however, defended the performance of its OS and strongly disputed the numbers reported by Symantec.
“Symantec’s data on security vulnerabilities simply does not match Sun’s,” the company said in a email statement, according to InternetNews.com. “We can’t verify Symantec’s sources and consider their report on Sun inaccurate.”
Sun contends that between July 1 and December 31st of 2006, the company published “54 Security Sun Alerts, of which 36 were for Solaris – substantially less the 63 Solaris vulnerabilities claimed in the Symantec report.”
“Past analysis of our vulnerability response shows we responded within five days for the vast majority of vulnerabilities, but averages are skewed by a small minority of 3rd party applications (or code) that are included/bundled with Solaris,” the company asserted in its statement responding to Symantec’s findings. “Sun responds to all reports of security vulnerabilities, and we stand by our reputation and established track record of responding to security vulnerabilities with Sun Alerts and a quick turnaround time for patches.”
Analyst Charles King of Pund-IT told InternetNews.com that part of the reason for Microsoft’s improved response time with respect to vulnerability issues is that the company has become a huge target for hackers, while also being the dominant force in the browser and OS markets.
“I think in a way that a culture of having been under attack for a decade or more has led to the company taking a very proactive approach to fixing those problems,” said King. “In the last 24 months, they’ve taken a very aggressive stance toward the security of their system. In review after review of Vista, despite its faults, the security of the system has been considerably better than XP.”
King added that those seeking to compete with Microsoft for market-share might be wise to step up their own responsiveness where security vulnerabilities are concerned.
“Are the old models of response to security issues going to be able to fly,” asked King, “or will those companies start to take some serious publicity hits from these increasing vulnerabilities and a relatively lackadaisical response to fixing those vulnerabilities?”
For more information, see Symantec’s Internet Security Threat Report, available online here: http://www.symantec.com/enterprise/theme.jsp?themeid=threatreport
