Interesting information from RSA, it’s nice to see someone other than me notice the pure creamy goodness of WS2003 for once (I’ve noticed it from the incident response side of things by noting a marked absence of WS2003 hacking cases over the last 2 years as compared to Windows 2000).
Why am I not surprised by their findings?
Simple – I’ve been slowly biding my time as the WS2003 OS matures watching the bug counts in our OS and those of our competitors month by month using an independant site like Secunia – anyone who’s been doing this already knows that there are dramatically more bugs discovered and fixed by our open source competitor which in my mind does not seem to indiciate any superior secure coding kung-fu being employed on their part (or that the ‘many eyes’ approach is indeed contributing to provably more secure code).
Here are the stats from Secunia – an organization not affiliated with Microsoft b.t.w. 🙂
Windows Server 2003 Enterprise Edition
44 advisories since June of 2003, 11% un-patched right now, 0% extremely critical, 45% highly critical, 59% exploitable ‘from remote’.
Looking at the two un-patched ones, one is an HTML help vuln from 2003 – so I am betting that is a mistake and another is a minor information disclosure bug – obviously we have work to do still and we are doing it.
Red Hat Enterprise Linux ES 3.0
136 advisories, since NOVEMBER of 2004, 0% un-patched right now (I wonder if that includes all the latest slew of Linux kernel vulnerabilities reported in the last day or so) 1% extremely critical, 24% highly critical, 66% exploitable ‘from remote’.
We are by no means perfect, and we still have a loooooooong way to go, but the journey has at least started and as the first batch of products to go through our secure development lifecycle start to withstand the test of time – it is really no surprise to me to see that our focus on building secure products first and foremost is starting to pay off in terms of better quality software with fewer and less damaging vulnerabilities.