Seattle Times has a story from the RSA Conference, where surprisingly they find Windows is more secure than Linux. No, this is not a study done by Microsoft. They compared Windows Server 2003 and Red Hat Enterprise Server 3 running databases, scripting engines and Web servers (Microsoft’s on one, the open source Apache on the other).
Their criteria included the number of reported vulnerabilities and their severity, as well as the number of patches issued and days of risk — the period from when a vulnerability is first reported to when a patch is issued. On average, the Windows setup had just over 30 days of risk versus 71 days for the Red Hat setup, their study found. “That’s a very surprising statistic, and I must say the first time I saw this statistic I thought you messed with my database,” Ford said to Thompson. Their presentation started jokingly, with Ford reeling off Windows jabs and praising the virtues of freely shared software that’s developed collaboratively over the Internet. But they concluded with statistics showing that the Windows setup had a clear advantage over the Linux alternative.
The setups were hypothetical, however. Both were in the most basic configuration, an approach that some in the audience suggested may tilt the results in favor of Windows, which comes with more features. Ford said the idea was to represent what an average system administrator may do, as opposed to a “wizard” who could take extra steps to provide plenty of security on a Linux setup, for instance.