The report finds that on average, Linux distributors took longer than Microsoft to patch security holes, although Microsoft flaws tended to be more severe.
But leading Linux vendor Red Hat said that while Forrester’s underlying figures were sound, its conclusions didn’t give an accurate idea of relative security, as they failed to distinguish between patch times for critical updates and routine, obscure problems.
The report arrives in the midst of a fierce debate around the relative merits of Linux and Windows, and follows a number of reports perceived to have been slanted in Microsoft’s favor.
Last October, Forrester forbade its customers to publicize studies they had commissioned; it made the move partly because of criticism of a report from Forrester subsidiary Giga Research that found some companies saved money by developing with Windows rather than Linux.
A new tactic in that battle has been to compare how long it takes for various operating system vendors to patch flaws — the “days of risk” for each operating system.
Microsoft took on average 25 days to release a patch; Red Hat and Debian 57, SUSE 74 and MandrakeSoft 82, Forrester said.
“Microsoft’s average of 25 days between disclosure and release of a fix was the lowest of all the platform maintainers we evaluated,” wrote analyst Laura Koetzle in the report.
The figures Forrester uses for “all days of risk” are arrived at by averaging the number of days needed to fix a flaw, without distinguishing between critical flaws and harmless ones.
Thus, if a vendor took six months to patch a low-risk bug, it would make them appear to have a slow security response time overall, even if all critical bugs had been fixed instantly.
Using Microsoft’s own definition of a critical flaw as a bug which could allow a worm to propagate without user interaction, only 13 Red Hat vulnerabilities were critical during the one-year time period, and they took an average of just over a day to fix, Cox said.
http://www.linuxworld.com.au/index.php/id;554502920;fp;2;fpid;1