Are you suggesting that Linux doesn't release updates to fix security bugs? If not, then do you believe it doesn't have any security holes?

Microsoft keeps fixing bugs, keeps hiring scary Germand and Russian "penetration engineers" to attack their system, and the open source guys continue to believe in the ideological purity of their software. In the long run, who is winning?

> The bugs addressed by Microsoft Security Bulletin MS08-001 are evidence that the

> program doesn't always work as advertised

It is just possible that the effected protocol is not installed by default on the 2K and 2003, hence a lower criticality.

The "correct" quote is:

"640K ought to be enough for anybody."

And he never said it. If you insist, I challenge you to find out when, where and to who he said it. A proper quote always contain a source, and it shouldn't then be too hard to find out where.

While you are at it, I seriously doubt the second quote aswell. Why would an OS maker say such a thing when the hardware they designed for had an absolute limit of 1MB of RAM. When you write software it is very little you can do about the hardware you design for. In this case they couldn't even switch hardware, since they wrote for IBM, and it thus was IBM's call.

For the third quote, I like it when software designers tell me system requirements so I know if I can use software before I buy it.

Bestest of luck in your source hunt.

Need to be a coward for this one. Sticking up for Gates, pfft, I spit on you.

> It is just possible that the effected protocol is not installed by default on the 2K and 2003, hence a lower criticality.

The 'effected' protocol was TCP/IP. So, no, that's not possible. Next question?

I tend to regard the way this whole patching business gets reported (regardless of *who* is patching *what* code) to be a bit upside down, to be honest. After all, the argument for Open Source has always been that, because the code can be scrutinised, security vulnerabilities can be found more easily, and patches can be issued more swiftly and more frequently. The same logic holds for any other software, be it OS X, Windows, proprietary Unix, or the flash hardware on your domestic home router. A flaw has been found, a patch is available: apply the patch, or be an idiot.

Unless you assume that programmers can see into the future, and program flawless code, in advance, you should regard frequent code patching as a Good Thing, and not a sign of vulnerability. Infrequent patching is more likely to mean that flaws are either not being looked for, or are being found but hushed up.

XP Pro in 2003 had 30 security advisories. 50% were rated as 'moderate' or higher. 40% were exploitable from a remote connection.

Ubuntu 7.04 in 2007 had 91 security advisories. 62% were rated 'moderate' or higher. 76% were exploitable from a remote connection.

Vista in 2007 had 17 security advisories. 53% were rated as 'moderate' or higher. 59% were exploitable from a remote connection.

Data taken from secunia.com, looking at the data for the first year of release on a OS. It's worth noting that Ubuntu Linux is on a 6 month lifecycle, so a new version is released after just 6 months - thus viewing it over a longer period of time isn't really possible with accuracy.

My view? I'll stick with Vista thanks. According to the stats it seems a better choice for security than Ubuntu Linux.

Oh, and having one or two 'critical' patches/bugs is better to manage than 91 moderate or high security holes.

Ubuntu Linux 7.04 had more securtiy advisories, more advisories that were rated 'moderate' or higher and more security holes that could be exploited remotely during it's first year of release compared to XP or Vista's first year of release.

XP: http://secunia.com/product/22/?task=statistics_2003

Ubuntu: http://secunia.com/product/14068/?task=statistics_2007

Vista: http://secunia.com/product/13223/?task=statistics_2007

I think you'll find that the TCP/IP stack is completely new in Vista and 2008 server so it’s possible that they criticality is different.

@ Stu Reeves

Well said. Why people are so surprised that a large piece of software like Vista needs a patch is beyond me. My Ubuntu box reminds me about patches on a regular basis and sometimes they mess things up that's just what happens.

lol, this is the worst argument ever against Windows. You really want the rabid masses who are at this very minute opening BritneySpearsNude.exe to have any choice over how and what is patched? If Windows was OSS, malware and backdoors would be sneaked into various community 'patches', and some idiots would fall for it. This would also create a support nightmare.

Like it or not, most computer users don't understand or care, and a closed OS that auto updates is probably the best solution for them.

"Nobody will ever need more than 640k RAM!" -- Bill Gates, 1981

Don't forget that in 1981 by far the most common home computer in the UK was the Sinclair ZX81 with a massive 1K of RAM or if you were really extravogant 16K with the RAM pack. Most Vista machines today probably have 2GB RAM - what applications can you think of that will need a million times as much memory?

It's very easy to make snide remarks about Bill's predictions but I don't recall anybody predicting the scale of the computing revolution that has occured. In 1981 I only knew three other people who had computers at home, now most homes have at least one.

Specifically it is related to multicast traffic (IGMPv3). Windows 2003 does not have any multicast addresses active by default, hence the lower criticality than XP or Vista which do.

If you think a reboot is needed for every Windows patch, you've not been patching lately. It's now increasingly rare to need a reboot.

I would, in fact, say that Microsoft is better than many deeply shitty third party software vendors on this point.

On a system with an 8086 chip that's probably *still* true.

Like Windows Media Player, IE7 and Windows Mail...? (Fair enough with OpenOffice though!)

;-)

To be fair, I'm not trolling or saying that one OS is 'better' than another - I use a mix of platforms and have to patch them all regularly.

I just hate seeing the constant comments when a patch is out for Windows then the OSS fanboi's start their attack.

A few weeks ago when the random number generator in Windows was discovered to not be as random as we first thought. How strange that El Reg in it unbias glory didn't post the same article that was on SecurityFocus regarding the same flaw... (http://www.securityfocus.com/bid/25348/discuss)

Let's all try and remember that ALL systems and applications need patching. From Windows and Linux through to Cisco IOS and even printer drivers.

Good administrators keeps systems secure - not the platform.

As AC said - thats ONE SINGLE unpatched advisory. Just one. Plus you need to be a locally authenticated users first, and then you can view the filenames of files in a directory which is protected. That's the security issue.

Needless to say Secunia give it the lowest of it's ratings - "not critical".

Yep, if you look at the severity of the advisories then Vista has more higher severity ones than Ubuntu. Then again if someone can get access to my system I couldn't careless what rating the advisory gives it. Generally speaking, a moderate rating allows access to the system remotely.

It's obviously personal choice - but I would rather have a system with 53% of the holes being of a high rating but with just 17 advisories than a system with 61% of the holes being high rating with 91 advisories. (i'm using 'high rating' as moderate or above. Secunia marks advisories that are remotely exploitable resulting in system access or denial of service as moderate)

Regardless of how you want to dice the facts (and lets face it, anyone who wants to prove a point can always twist the facts - including me!) the bottom line is that Ubuntu had more advisories than Vista, and more advisories that were remotely exploitable than Vista.

No matter how you cut that cake, the facts are there.

And again - to repeat myself - this isn't one OS is more secure than another. I'm pointing out the massive misconception that Vista is very insecure compared to Linux. It's not - it's the user base that are the muppets rather than developers. And that can be said for the majority of software out there regardless of your OS religion.