Microsoft calls 'foul' on OS vulnerability data

IDG News Service - Microsoft Corp. is responding to a report published last week by London-based security intelligence firm Mi2g Ltd. that claimed that the Apple Macintosh operating system and certain varieties of Unix are less vulnerable to attack than the popular Windows and Linux operating systems (see story).
The report, a summary of which was released to the public by Mi2g, attributed 44% of the software vulnerabilities announced in the first 10 months of 2002 to Microsoft's Windows operating system and 19% to the open-source Linux operating system. By comparison, the company attributed only 1.9% to Apple Computer Inc.'s Mac OS.
In an interview, Mike Nash, vice president of the security business unit at Microsoft, said he feels those numbers are misleading.
"Essentially what [Mi2g] has done is look at a combination of vulnerabilities announced by vendors and new vulnerabilities reported by users," Nash said. "There's no way to determine if the same issue is counted multiple times, or if erroneous vulnerabilities are being reported."
Products with more customers, like Windows, are bound to have more vulnerabilities reported under such a system regardless of whether those products are less or more secure than the competition, according to Nash.
Jan Anderson, a member of Mi2g's Intelligence Unit, says that the small size of the Mac OS user base -- what Mi2g refers to as "security through obscurity" -- doesn't entirely account for Mi2g's results, however.
"Our main point here is that although only about 3% of systems are running Mac OS, the proportion of attacks suffered by these systems is 60 times less than this, i.e., 0.05 percent. There are also relatively few known vulnerabilities of Mac OS as stated in the news release," Anderson wrote in an e-mail response to questions.
The issue may come down to which vulnerabilities get counted and which don't.
In a statement, Mi2g said that the company is in touch with Microsoft at a senior level and that the two companies are working together to deal with the issue of vulnerability counting.
"Our methodology relies on collecting vulnerabilities and slotting them into two categories: confirmed vulnerabilities and candidate vulnerabilities. We collect our vulnerabilities from recognized, credible and reliable sources including CERT, eliminating all duplicates and discounting for multiple references. We do look at vulnerabilities which affect a particular operating system as a whole even though they may originate at a server or application level," Mi2g said.
D.K. Matai, CEO of Mi2g, said removing unconfirmed reports from Mi2g's numbers doesn't improve the picture for Microsoft.
"Even there, we note

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.