If you haven't read the Windows Vista One Year Vulnerability Report its worth taking a look at only if to solidify what Andrew Jaquith talks about with security metrics and graphs and how they can say whatever you want them to say.
Original Post here:
Here are my comments after a quick read of the paper.
Interesting paper. I'm not convinced that because there were more vulnerabilities by number in RH/Ubuntu versus Vista is "necessarily a better OS or the fact that there were far less vulnerabilities by number between XP and Vista that deserves a ton of praise. Good, in 5 years MS got better at creating and rolling out a secure product...kudos. Isn't that what everyone expected and MS said they would do? Also, I cant imagine anyone dropping a remote code execution exploit for Vista on bugtraq/FD/milw0rm/whatever right now for free, a working exploit for Vista or XP SP2 is far too valuable to give away for the sake of "making the internet a safer place" especially with all the companies paying big bucks for those exploits or how valuable they would be for the underground or for the sake of having an 0day.
It would have been interesting to compare all those open source vulnerabilities not by number but by remote code execution possibility. I didn't go and check every MS # or every vuln listed for RH/Ubuntu but i am going to guess that if it got a critical or was made mention for Vista it was because there was code execution possible(either client side, i send you a link, click on this, or full old school remote). I'm going to go out on a limb and say that not every vulnerability that was released for open source was code execution. I wouldn't put a bugfix in some obscure library that did get pulled down as an update in Ubuntu (and added to that 100+ updates) in the same category as a code execution vulnerability.
Just goes to show you that I can make up become down and left become right with the right wording and some excel graphs...