The Value of Operating System Comparisons

Since Blaster/Slammer, namely since the start of Trustworthy Computing I am working at Microsoft in a publically facing security role. I went through all the blaming and had to take all the heat of what we did wrong and how bad we are – and I admitted there and still do today that security was not a priority for Microsoft back then (and if you quote me, please quote the whole sentenceJ). However, we changed dramatically and I am convinced that Microsoft is one of the few companies of such a size having the capability to change within the timeframe we did and the change will go on.

When I did my first presentation on Trustworthy Computing, I stated publically that this is an industry initiative and not a “Microsoft only thing” – and the people laughed at me. They told me that Microsoft is THE problem and that we will never change. When I looked at the figures of e.g. vulnerabilities back then, we saw from the beginning that we were much better than everybody else but have been the bigger target and the one that actually made much, much more noise. Finally, we were best in class with incident and vulnerability response. This is my true belief when I look back to that time and it still is if I am looking at today’s industry!

Since that time until today, I never participated in the discussion about “who is more secure? – Windows, Linux, Mac,…”. Why? Well, that is pretty straight forward to tell: There is no value to this discussion from my point of view. We have to know where we stand – this helps to judge where to set the priorities but basically our customers expect us to deliver the best in class for the market – and they shall do this! This has to be our target.

Now you might ask, why I am writing this. Each time a vendor has a major security problem, the discussion starts again. This time Apple got the blame. People were talking of “Mega-Patch” and so on. There started a blog “war” on which OS is more secure. There were titles like:

And there are people trying to do a comparison: “I don’t use Windows! I’m invincible!”

Does this really add any steps towards a solution of the problem? Most people that are actually “comparing” security of the different Operating Systems are geeks and they are all assuming that everybody is a geek as well.

Instead of blaming around, I think it is time to come together and look for solutions within the industry. We are competitors in certain areas but to address the “security challenge” the companies have to come together! We support and sometimes even initiated different forums/alliances already to do exactly what I said:

  • VIA (Virus Information Alliance): An alliance where all the major AV-vendors are part of to share information on malware.
  • SAFECode (see my earlier blog): An alliance that helps to share best practices around building secure products

So, instead of wasting time to complain and tell everybody that A is better than B or complaining that people are stupid or telling everybody that you are the one knowing how to configure a system but you do anyway not trust the vendors (typically us), I ask you for a constructive dialogue. We can start it here or you can mail me:

  • Knowing what we are doing already (e.g. Security Development Lifecycle), what do we have to do to improve security for mom and dad?
  • What can we do – from your point of view – to improve our communication?
  • What has the industry to do to even get better?
  • If you are working for a major ISV – join SAFECode to move the industry as a whole.

I am open for any constructive and open dialogue but not for blaming and bashing.

Looking forward to your feedback


Comments (10)

  1. Anonymous says:

    Why do you think that opening up our source will reduce the vulnerability count? If you look at Jeff Jone’s blog (e.g. you will see that most Linux distributions are much, much worse when it comes to vulnerabilities. Yes, Jeff is working for Microsoft, so before you now are taking on that point, pleas read

    So, this is one side of the coin. Working together for me does not necessarily mean that you have to look into our code (even though a lot of people outside Microsoft get access to it) but talking about new concepts and ways how to protect the users. Quite some people actually picked up that ball and I will definitely take part of it to think about the concepts.


  2. Anonymous says:

    Hi Jim

    yes I did and when I re-read my post I had to realize that I made one point not clear enough: What I want to say is that we have to stop complaning and saying everythign sucks anyway but work jointly towards solutions on security that work for you (being geeks) as well as for global enterprises as well as for small and medium business as well as for my mom and dad. This is what we are looking into. And actually I already got some private messages which I will discuss with the respective people and I was really enjoing the read of some suggestions I read as comments on other blogs. This is what I would like to see


  3. Anonymous says:

    It seems that I am not yet gone J . Eric Bidstrup, a colleague of mine, wrote a great blog post about

  4. Anonymous says:


    I personally think we will see these type of discussions always and they are non-stopping one. Because, majority of people out there thinks comparison is necessary. That’s why before going to buy anything they usually go on cnet to check reviews and compare two different things.

    As a Security Professional I agree with your comments that instead of discussing these topics, writing on blogs, and putting comments etc, we should come up with something to improve our security standards and methods. After all, security is not only Microsoft or Apples problem it is every single computer user problem.

    As a suggestion I like the idea of Microsoft, Apple, Linux and other OS community to work together to beat the 0 day threat and all security professionals should participate in that to challenge bad guys out there.




  5. Myztry says:

    Security wasn’t originally a low priority for Microsoft. I just wasn’t a consideration at all. There was simply no method to differentiate programs rights at all, at least till Windows XP. The fool who decided that allowing ActiveX controls to run from web pages should be barred from the industry.

    Linux/Unix is infinitely ahead of Windows are far as security goes. But even so, it is (as is Vista) flawed in design when it comes to the mainstream casual user.  The requirement for root or sudo elevation by users who have no hope of knowing the true nature of new software isn’t good enough.

    What needs to happen is for a totally new operating system to be created,  which for transitional purpose requires legacy operating systems to run in a sandbox under a hypervisor.  The only local crossover should be with non-executable data documents via dual filtered virtual devices.


    Software should only be installable via data packages by the operating system. The will be required to classify themselves singlely (game, document application, system utility, etc). Each shall have it’s own unmodifiable application store, per user config and per user document access. No application would be allowed to create, modifiy or run executable files.

    No application would be allowed to access or modify system configurations directly, and could only achieve this by requests to the operating system which would moderate user/program rights, and explicitly deny any request outside of the application’s declared category.

    All software packages could be subject to blacklist/whitelist checks by a trust provider as chosen by the user/administrator. System utilities, or other categories that need to modify the underlying OS, and thus create risk, would be required to be whitelisted by a trusted party. Not just a casual password.

    All granted configuration requests shall exist as overlays to the system, on a per user basis, and thus removable, and movable (backup) by the operating system.

    Yada Yada Yada. I could go on forever. The key is transition.

    Food for thought…

  6. Peter Flindt says:


    my two cents about security is, that some parts goes in the wrong direction. If a guy buy a bigger gun I must buy a bigger bulletproof vest? Why not take away the gun?

    For example, someone send me an Email attachment, I open it, and get the trouble. I visit a website, click somewhere, and now….

    Prevent Outlook or whatever, from open the attachment is only one side of the coin. I ask myself why eMails still using a 20 year old Pop3/SMTP protocol for the mass market. Same as HTTP stuff, why not make HTTP, javascript, active X,… on his own more secure?


  7. Marcin says:

    Hey Roger, thanks for posting a comment on my blog. I have <a href="">posted
    a comment</a> in response and dre has also put a lot of thought into his reply as well. I hope you check them both out.

  8. Jim B says:

    Did you actually read the blog postings you cited? You seem to have missed their message entirely. The common theme of all three wasn’t "blaming and bashing" or "a blog war on which OS is more secure," and in fact they were quite the opposite. Those postings talked about why comparing OS security is mostly an empty and pointless exercise.

  9. DFreeze says:

    Not compare and “best of class” statements don’t mix well, in my opinion, but then I’m just nitpicking I suppose. I’m no security expert, so maybe I’m missing the point entirely, but as far as I can see, a lot (most) of the security threats have to do with the design choices of the OS in question. The amount of threats directly relates to the exposure of the OS, but the way the threats work is that they specifically target flaws in the OS in question. “Work together” could in my opinion only work on a governing level (help identify malicious emails, attachments, websites together, to minimize the time they go undetected, maybe even on a level of “trying to find the bastards who write the darn things”), but that’s only fighting the effects. The cause of the problem, insecure code, is a problem of the OS writers (unless ofcourse you’ll choose to open up the source ;-)). As long as the development of your OS stays behind closed doors, don’t be surprised you’ll be on you own fixing the errors as well.

  10. Marcin says:

    Hey Roger, I just wanted to point you back to my blog for a couple follow-up comments, one from dre and one from David Rice, the author of Geekonomics (

    Comments after you last reply begin here:

    Cheers :)