Secunia have reported that more flaws were found in Redhat Linux (633) than in Windows (123), but even a blind man can see it is nowhere near a fair comparison.
Redhat is made up of the core operating system, and thousands of third party applications that people can choose to install. (or not). 99% of the 633 security flaws found in Redhat Linux were in the third party applications, only 1% were in the core OS.
Windows however, only had 123 bugs, but 96% of them were in the core operating system. Since 3rd party apps are not supplied or supported by Microsoft however, all of their bugs did not get added to the total as they did in Redhat’s case.
Does anyone else think that this is perhaps not a fair comparison? I can tell you one thing, I’d rather have a core OS with 1% of 633 flaws (6.33), than one with 96% of 123 flaws 118.08. The OS results could just have easily been put “Windows had 118.08 more OS security flaws than Redhat Linux.”
With regards to Firefox, they also seem to be counting flaws that Mozilla have found themselves. We know they are not doing the same for IE, because Microsoft don’t announce flaws they find themselves. Again, not really a fair comparison.
Interesting however, is the patching statistics for IE and Firefox.
Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.
(taken from here)
Microsoft’s best patch result was 85 days to release and only 3 out of 10 flaws patched, verses 5 out of 8 and just over a week for Firefox.
Statistics are all good and interesting, but taken in the wrong light, can paint a picture that is dangerously incorrect.