Microsoft calls 'foul' on OS vulnerability data

Microsoft Corp. has responded to a report by London-based security intelligence firm mi2g Ltd. that claimed the Apple Macintosh operating system (OS) and certain varieties of Unix are less vulnerable to attack than the popular Windows and Linux operating systems.

The report, a summary of which was released to the public by mi2g, attributed 44 percent of the software vulnerabilities announced in the first 10 months of 2002 to Microsoft's Windows operating system and 19 percent to the open source Linux OS. By comparison, the company attributed only 1.9 percent to Apple Computer Inc.'s Macintosh OS.

In an interview, Mike Nash, vice president of the security business unit at Microsoft said that he feels those numbers are misleading.

"Essentially what (mi2g) has done is look at a combination of vulnerabilities announced by vendors and new vulnerabilities reported by users," Nash said. "There's no way to determine if the same issue is counted multiple times, or if erroneous vulnerabilities are being reported."

Products with more customers, like Microsoft Windows, are bound to have more vulnerabilities reported under such a system regardless of whether those products are less or more secure than the competition, according to Nash.

Jan Anderson, a member of mi2g's Intelligence Unit, says that the small size of the Macintosh operating system's user base -- what mi2g refers to as "security through obscurity" -- does not entirely account for mi2g's results, however.

"Our main point here is that although only about 3 percent of systems are running Mac OS, the proportion of attacks suffered by these systems is 60 times less than this, i.e., 0.05 percent. There are also relatively few known vulnerabilities of Mac OS as stated in the news release," Anderson wrote in an e-mail response to questions.

The issue may come down to which vulnerabilities get counted and which don't.

In a statement, mi2g said that the company is in touch with Microsoft at a senior level and that the two companies are working together to deal with the issue of vulnerability counting.

"Our methodology relies on collecting vulnerabilities and slotting them into two categories: confirmed vulnerabilities and candidate vulnerabilities. We collect our vulnerabilities from recognized, credible and reliable sources including CERT (the Computer Emergency Response Team at Carnegie Mellon University), eliminating all duplicates and discounting for multiple references. We do look at vulnerabilities which affect a particular operating system as a whole even though they may originate at a server or application level," mi2g said.

D.K. Matai, chief executive officer of mi2g, said removing unconfirmed reports from mi2g's numbers doesn't improve the picture for Microsoft.

"Even there, we note that Microsoft doesn't account for 44 percent of vulnerabilities, it accounts for 54 percent," Matai said.

According to Matai, mi2g compares its data against data maintained by independent software vulnerability tracking organizations such as CERT, and that the company's numbers are consistent with those maintained by CERT.

CERT declined to comment on the vulnerability data it maintains.

Regardless, software industry analysts and security experts consulted for this story agree that looking at the number of reported vulnerabilities is a poor measure of an operating system's security.

"Comparing the number of vulnerabilities to shipments of the software is interesting, but not very useful," said Dan Kusnetzky, vice president of systems software research at IDC.

"All software is written by people and people are fallible. The thing to look at that's more important is when problems show up, of any kind, what is the response from the software vendor? How quick is the response? If the response comes six months after a problem was reported, that's not good."

Marc Maffre, chief hacking officer of eEye Digital Security Inc. agrees.

"All operating systems have vulnerabilities," Maffre said. "The question is 'how fast were they fixed?' and 'is there a way to secure the vulnerability in advance of a fix -- a guideline document that would have helped?'"

While Apple's OS may have fewer reported software vulnerabilities, Maffre and Kusnetzky both said that there are also few incentives driving hackers or companies like Aliso Viejo, California-based eEye to scour that product.

"Breaking into Mac isn't something that gets a hacker kudos in his or her community. Breaking Microsoft gives that person the ego dollars that they depend upon, " Kusnetzky said.

Asked what businesses and individuals should do to assess the relative security of the various operating systems, Maffre and Kusnetzky both suggested that customers focus on securing their systems and assessing the ability of the software vendor to respond to problems as they arise, as opposed to worrying about the number of vulnerabilities.

But both Maffre and Kusnetzky fall short of giving Microsoft a pass on the question of security.

"Microsoft does need to do a better job at being secure," Maffre said. "There are too many trivial mistakes that you'd think a billion dollar company wouldn't make."

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Paul Roberts

IDG News Service
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?