Microsoft Turns Up the Heat on Linux Over Patching

by Alex Woodie

Microsoft is ratcheting up the rhetoric in its battle with Linux with a new report that raises questions about the security of the open source operating system, and organizations' capability to keep them patched. The company commissioned a report from the Indian IT consultancy Wipro Technologies that compares the relative cost of deploying patches on Windows versus open source systems. While the costs were basically the same, Wipro found some key differences between Windows shops and their open source brethren.

The press release that Microsoft issued about the Wipro patching study carried the headline "Study Shows Windows Beats Linux on Security." However, while the study found that it costs 14 percent per year less to patch Windows desktops than Linux desktops, that Windows servers cost 13 percent less per year to patch than Linux servers, and that Windows database servers cost 33 percent less per year to patch than Linux database servers, Wipro concluded the overall patching costs for these two types of systems as "roughly comparable."

After summarizing its finding that there is basically no difference in cost for managing security on Linux versus Windows, Wipro went deep into the details, where some interesting findings were uncovered, and some widely held beliefs were confirmed. The report can be downloaded from this Web page.

For example, the study found that, on a per-patching-event basis, Windows-based systems require less effort to patch than similar Linux and other open source systems. It also found that Linux-based systems are at risk longer than comparable Windows-based systems when vulnerabilities are disclosed. These numbers were based on the responses of 90 companies in the U.S. and Europe during 2003, when there were 251 Windows reported vulnerabilities, compared to 116 reported vulnerabilities in the open source space.

However, Wipro says the number of vulnerabilities for Linux and open source software is underestimated by as much as 98 percent, while the number of vulnerabilities for Windows systems is overestimated by as much as 42 percent. It bases these figures on the actual vulnerabilities reported in the Common Vulnerabilities and Exposures (CVE) dictionary maintained by MITRE, and the number of vulnerabilities reported by the survey respondents themselves. Wipro also points to a "relatively lax attitude" among IT managers when it comes to the comparable security of Windows versus Linux.

Wipro dissected every stage of the patching process of respondent organizations, from threat assessment and testing to patch deployment and help desk resolution. Overall, the cost to maintain and patch open source systems was one-half to one-third compared to their Windows counterparts. However, there are a lot more Windows boxes out there than Linux boxes, and on a per-event basis, the pendulum swings the other way. According to the Wipro study, open source software becomes three to four times as expensive compared to Windows. Of particular note was the energy required to patch open source data servers, which consumed nearly 2.5 hours per system to patch when there was a patch to deploy, compared to just over an hour for Windows database servers. There was not as big a difference in the time and expense to patch non-database server and desktops.

It shouldn't be surprising that Windows is cheaper to patch on a per-event basis. It has a considerably bigger installed base (particularly on the desktop), and Microsoft has put in a lot of time and effort to refine its vulnerability response mechanisms. A good example of this is the monthly bundles of patches, also known as Patch Tuesday, which debuted in October 2003.

Another good example of Microsoft's refinement is the array of patch scanning, administration, and distribution tools Microsoft offers, including Windows Update, Microsoft Update, WSUS, and Systems Management Server 2003. The company has made a genuine effort to get the word out about patching. For this, Microsoft should be lauded.

Perhaps Wipro takes the lauding a bit too far, as it remarks that the number of Windows vulnerabilities in 2004 appears to have decreased as a result of Microsoft's Trustworthy Computing Initiative. "Evidence points to significantly fewer vulnerabilities on Windows systems in 2004," the report states.

While this may be true, through the first six months of 2005, Microsoft has issued 34 security bulletins to patch vulnerabilities (keeping in mind that sometimes a single patch will fix more than one security hole). That is exactly twice the number of security bulletins the company issued through the first six months of 2004, when it issued a total of 43 security bulletins for the year. A total of 51 bulletins were issued in 2003.

While Microsoft has made strides improving its patch management tools, it shouldn't lose site of the real goal, which is writing software that's secure in the first place.