I think there are two main factions here, and the answer for what constitutes better security has slightly different context with significantly different results.

1. First, from the article: He added that Microsoft had made real progress on security in the past two years. This is true. But, Microsoft started from an awfully low level of security. And, yes they've done much to automate patches, make updates easier, etc., in my opinion, the one missing piece is they haven't collaborated with the Windows Applications community (Microsoft, itself, and third parties) to figure out the least authorized user problem. So, for the uninitiated, and the lay people, Windows continues to be a world where, out of the box, people set up their boxen with everyone at administrator privelege levels. Heck, most of the times I still go to people's homes and find they don't really even bother to set up separate accounts for users.

   For all of these people their machines are ticking time bombs, and I'm usually the one who gets the call when their world of computer technology explodes. This by itself is reason enough to consider other technologies where by default they are secure. For example, Apple does a good job (not perfect) of making their machines secure... I won't go into great depth -- I'm not a heavy Mac user.

   Also, linux by default comes out of the box with decent security. Even if users do try to just use, e.g., KDE an root only, they (as I recall) have to fight off the big red screen background, kind of like the enunciator lights and bells in cars when you don't fasten your seat belts.

   So, in the lay community, though Windows carries the popular vote, I think linux out of the box is by far the more secure and safe way to go.

2. On the other hand, many companies have wised up (though not all) to the notion of restricting the default access of their employees, i.e., they do not get administrator priveleges to control their own boxen. This creates a more stable, manageable, and secure environment for companies, but at what cost? Given that by the articles own words, "Engates added that his company manages 13,000 servers, roughly half of which are open source and half Microsoft. He claims to see little difference between the security on either platform.", and given that not having administrator access in Windows can be so problematic because of ill conceived applications (see item 1.) and mismatched access to data, if I could forgo reliance on Windows applications I would choose to deploy as much linux in a company as I could.

May or may not be true, but if it would nice if I could run as LUA under Windows without having to jump through a bunch of hoops. I'm not talking about 3rd party apps, I'm talking about explorer.exe. There are a lot of little quirks and workarounds you have to deal with, although it's not impossible. It's clear that even XP was not designed with this in mind. Longhorn should do a better job of it. How good remains to be seen. That said, as an semi-experience Linux user, I still have no idea if I am really safe under Linux. Maybe that's because I have not put much effort into it.

No meaningful data to be found! Some wanna-be techno-journalist getting some middle-level sys admin to talk about his "hunches".

yawn...

Right. Whatever you say. Windows is JUST as secure as Linux.

I don't think its that far from the truth, really. It's like painting.. it's the artist, not the brush. A competent system administrator can secure Windows and keep it secure, just as with Linux. An incompetent sysadmin will fail with both.

Of course, it could be said Windows makes it easier to be incompetent.

Not using IE for browsing has solved my spyware problem pretty much and since that's the major headache for most Windows users I'd always advise people to use Firefox instead of IE.

I'm not sure what Microsoft is shipping in its Windows XP boxes anymore, not having ever purchased a retail version of it.

Having just purchased an OEM copy for a custom built machine, I can answer this question. XP Professional tends to ship with SP2 preinstalled. XP Home, however, only comes with SP1 installed to provide for better compatibility for "home" programs. (read: Programs that didn't behave themselves in the first place.)

You must really not be in the trenches much. You are way off base. I would say more than 90% of the stuff that I see is from IE problems.

1. Documents with embedded Macro viruses.

Haven't seen one of these in *years*. All office versions since 2000 have made major steps to reduce malicious code in documents, and they were few and far between in the first place.

2. False email attachments

There's been a huge upsurge lately in server side virus scanning for email, and you just don't see a lot of spyware in email.

3. RPC Vulnerabilities

Not really since windows 2000.

4. Buffer overflows on network services (e.g. IIS)

How many XP machines do you see with IIS?

Honestly, though there may be a higher percentage of vulnerabilities in other products, the VAST majority of actual infections happen b/c of IE. No IE, no spyware.

The number 2 cause of infections on end user machines I would say is the "Click here to download and install the RAD SCREENSAVER OF THE MONTH" bug, or the "Click here to get (spyware supported) WEATHER REPORTS, FREE FREE FREE ON YOUR TASKBAR" bug.

The Honeynet Project did a study. They left an unpatched linux box connected to the internet (It was Red Hat 7.2) and waited until it was rooted. The Red Hat box survived for about three months. Then they did the same experiment with a Windows XP box.

It lasted about four seconds.

Haven't seen one of these in *years*. All office versions since 2000 have made major steps to reduce malicious code in documents, and they were few and far between in the first place.

They were anything *but* few and far between. Back when I worked at a help desk, we had an Excel virus that had been prevalent in the company for YEARS. Every so often someone would give us a call and say that all the info had been wiped from their Excel spreadsheet. And that's despite the fact that Norton Anti-Virus was blocking most of these viruses before the attachment could be downloaded from the mail server. And I've never seen a user pay much heed to the "This Document is Potentially Unsafe. Open? (Y/N)" prompt.

They are certainly less common, but they are far from gone.

There's been a huge upsurge lately in server side virus scanning for email, and you just don't see a lot of spyware in email.

The problem with these worms is less the corporate email system, and more the matter of users running them from personal email. GMail does an excellent job of sorting the little buggers out, yet it still manages to let a few slip through every once in awhile.

[RPC Vulnerabilities] Not really since windows 2000.

Sasser [symantec.com] doesn't seem like it cared for your interpretation much.

How many XP machines do you see with IIS?

XP Professional and up. Thankfully most admins are replacing their servers with Win2003, which is somewhat less vulnerable to these exploits. Of course, SQL Server is still a problem with occasional flaws being found. (Why the blasted things were ever publically accessable, I'll never know.)

It's not that I'm disagreeing that IE is the biggest problem. I'm just saying that Windows has seen (and continues to see) a LOT more vulnerabilities than that. It just so happens that exploiting IE is en vouge right now, so that's what crackers do.

just bought a brand new HP for my girlfriends parents two weeks ago, not only was SP2 not installed, but in the time it took me to hookup, download updates and install Norton, it was already infected with 2 minor viruses and thought there was a 3rd (there wasnt, just a program asking it to do something it didnt like)

So yes I would readily say that 80% of new out of box PCs are infected.... If i did all this and I knew what I was doing and still got infected in 30 minutes, could you imagine someone who didnt.

I've never seen a user pay much heed to the "This Document is Potentially Unsafe. Open? (Y/N)" prompt.

That's because instead of actually analysing the macros to see whether they could do anything malicious, Office just warns you about every single document that contains any sort of macro whatsoever. So if you use macros at all yourself, you either stop taking any notice of the prompt, or you turn the prompt off. It is the crappest security measure ever.

It's like an antivirus program that does nothing but pop up a window every time a new process starts that says "A new process has started that could potentially be a virus. Terminate it? (Yes/No)" - and nothing else.

A better approach would have been... oh, not including a macro language that could delete any file on the computer with a single command, for example?

Hubbard didn't *do* scientology. He had joked for years that he always wanted to invent a religion....so he did. My father read the entire Battlefield Earth series when I was a kid -- we still have the shelf of books in our basement. (The series is ungodly long.) I remember the first time I saw "DIANETICS" advertised -- I thought "how quaint! more L Ron Hubbard Fiction!!!!" -- how true, how true.

Look at what's actually happening, from http://www.us-cert.gov/cas/bulletins/SB05-194.html #trends [us-cert.gov]; Top Ten Virus Threats All Win32 Worms. Pick any security site, and look at the top 10 threats. Then tell me which OS is the most secure. We can argue all day about the reasons, the facts speak for themselves.

but windows 2003 is pretty rock solid.
Riight. Like this? [com.com]
Go on, pull the other one. Windows is just as leaky as it's ever been.

I Use Mac OS X. A user who provides the root password or if it is already in the Valut for the user can erase a partition the user created.

A user cannot just delete a partition in Mac OS X

Riight. Like this?
Go on, pull the other one. Windows is just as leaky as it's ever been.

no, like this [securityfocus.com]

oh, and btw, microsoft offered has had a fix [microsoft.com] for those issues for at least a week now.

How do you conclude Windows has more serious flaws than Linux. I've seen no evidence to support that claim. In fact a major security flaw in Kerberos was just announced (that isn't in the MS version). Your post is just anti-MS FUD

And just how many people are going to be infected tomorrow by this shocking Kerberos flaw on a Unix or Linux platform (Microsoft uses Kerberos you know ;))? The point is that the flaws within Windows and Microsoft software have simply affected too many people and businesses, and there are simply too many easy ways into Windows.

Microsoft's reaction with Windows 2003 has been to panic create several hundred permissions and group policy applications, most now off by default, to cover all the holes like sealing wax. Result? Nothing works and people simply don't have the time to deal with everything they might need, so they have to turn it all back on again. What's worse is that it simply isn't structured. People can have no real idea what is or isn't turning something off. If I start a service (and am stupid enough not to think about it) on a Unix or Linux system I know what I'm getting. If I start something on Windows 2003 it might sort of run, but it probably won't work for certain users except administrators and there'll be some setting somewhere (not in a universal place) stopping it. It makes testing an absolute nightmare. Quite how they think this makes them more secure, I don't know.

Microsoft have simply taken this 'off by default' thing they've heard about Linux and Unix and completely misunderstood it, or they've had to kludge things because their existing technology and software isn't up to it. That, I'm afraid, is simply not anti-MS FUD. It's just plain and simple reality.

And this points at where the problem lies - the users. They're generally lazy and uninformed.

While this might be true .. its not the entire story. The entire story is simple -- there is still a LOT of software out there that simply DOES NOT RUN 100% CORRECTLY OUT OF THE BOX in anything BESIDES an administrative level account.

Even things that SHIP WITH WINDOWS are prone to oversight which tells me one thing (and has been second'ed but not necessarily confirmed on /.) -- Microsoft doesn't believe in restricted access in its development model (read: Microsoft employees all have administrative level access).

So is it any wonder that people DON'T do this? Its one thing to have a slight PITA factor when installing apps (as you can't simply say "hey here is my administrative level password .. install away!") but when you install apps and they may or may not work .. or might load but not work fully (ie write to a restricted part of the registry or file system without checking for success and not providing good error messages on what went wrong).

From my professional experience setting up a "secure" windows environment -- there is a LOT of use of filemon, regmon and other tools to basically guess as to why apps fail and make the environment slightly more insecure so these apps can run (ie provide user write permissions to system registry nodes or certain file system areas)... even then, my success is quite low given the extremely LARGE amount of data that is spewed from these apps (not to mention certain apps that cause the said apps to close so they can't capture the data (piracy checking??))

anyways.. its not even close to a reality. The mindset of programmers, developers, managers and microsoft is still NOT high on restricted user rights security and it is VERY apparent.

Is it better? sure.. but its still not even CLOSE to being as good as on the *nix side even AFTER well over a decade since NT debuted.. fun.

All the traditional things that are restricted to root, like running services on ports 1024 or accessing another user's files, are pretty much irrelevant in the world of the single-user desktop.

There's also stuff like firewalls and anti-virus software. If you're always running as 'root', then a trojan can kill those processes off and replace them with something else. A lot harder to do if you yourself are not allowed to kill your AV process for instance.

And if you're running an outgoing firewall (which can't be killed/disabled by a regular user) then it's also a lot harder to to do DDOS attacks, send out credit card details, etc.

Extrapolate this:
The respective (2003..2005) results for the Debian Woody, which has been out for nearly three years:
Unpatched 1 of 488 total (read this line twice)
Etremely or Highly Critical 30 of 84 total
Remotely exploited 52 of 84 total

You didn't know that the Woody is one of most secure distros available.

The actual reason to worry is NOT the amount of vulnerabilities but their severity and how long it takes them to be fixed. Microsoft often names vulnerabilities as "seveval bugs in ..."

One other (serious) problem with Windows is that the owners the pirated copies can not get the security fixes and their systems pollute the internet.

By the way, I couldn't help noticing: the add just beside the article was by, you guessed it, Microsoft ! But I don't think it could have any influence on the article...No, not possibly...

There is something I don't get in those graphs. Take look at them - Windows XP's last hole is dated on 2005-07-14, Red Hat's last hole is dated on 2004-05-03 - there *were* lot of holes in software that Red Hat was shipping after that date... I don't want to bother to check but the last security advisory for Red Hat is not ovelaping with end of line for RHL9? I mean those graphs are irrevelant since they measure different time peroids (Windows XP is longer than RHL9). I am all about Linux but this comparsion is not worth too much.

Probably a Cisco box rather

This Cisco link [networkworld.com] is a bit of a stretch, but there are lots of other examples where you are correct, like:
Watchguard [watchguard.com]
Image Stream [imagestream.com]
LinkSys [linuxforum.com]
and others like Astaro, SnapGear, D-Link, SofaWare... [linuxdevices.com]

One very important point is that Micsosoft patches bundle several fixes into one "issue" quite often. Also, Windows vulnerabilities are kept hush hush in mny cases until a fix is already made. By the time a patch comes out for Windows, the damage is usually done and rectified by 3rd party removal tools.

The ~25% unpatched monthly stat is horrific.

(by the way can you run Windows as restricted user? Many programs just refuse to work, I think that restricted user account is useless, most of the people I know run Windows as Administrator, only that and makes a big difference.)

Yes you can run as a restricted user. I've run that way on my home machine for months now. There are a few program that I've had trouble with but overall it works.

My day job is with a software company and I can guarantee you that there are a lot of people running as restricted users, because our customers demanded that it work.

So yeah, restricted users work fine.

Here is a list of things that won't run under Limited Account Outlook Express (Managed to get thunderbird working though and now runs in it's own account) Word Clipart comes with a read-only database error (Tried Open Office. The other users don't like it) Quite a few games also don't run as limited user. So I had to bite the bullet and make the other users Administrators.

If I start a service (and am stupid enough not to think about it) on a Unix or Linux system I know what I'm getting.

Just to be fair, you have to remember that by default, a lot of distros launch a hell of a lot of unnedded services (Fedora does this), so you don't need to "start" a service, it's already mischievously running. You have to positively act out to stop those useless services.

I believe OpenBSD is the best in this area since I think it has a "not running by default" policy. Even though I'm an Ubuntu/Debian person myself.