Microsoft fastest to issue OS patches, Sun Slowest

Symantec's comprehensive security report on the malware industry from July 1 to December 31, 2007, is now avaible in its 100+ page glory. Symantec broke down information on patch development time by operating system and by the type of vulnerability encountered. Surprisingly, Microsoft had the shortest time-to-patch over both halves of 2007. In the first part of the year, Microsoft released 38 patches (two of which involved third-party applications) with an average deployment time of 18 days. From July to December, Microsoft released 22 patches with an average patch time of six days.

Red Hat came in second, at 32 days for the second half of the year and 36 days in the first half. That's quite a bit higher than Microsoft's average, but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications. Apple, Sun, and HP all lag well behind Microsoft and Red Hat, though the gap for each company differs significantly between the first and second halves of last year.

News Source: Symantec

Report a problem with article
Previous Story

Brazil Bans Bully

Next Story

Boom Blox producer impressed by "gamer" Spielberg

15 Comments

Commenting is disabled on this article.

but of the 227 vulnerabilities Red Hat patched in 2007, 226 of them involved third-party applications.

err, correct me if i'm wrong... but isn't linux mostly third-party?

lol. I know what you are talking about, but it is fair to include them in the count applied to "Red Hat" if they are included by default in a Red Hat release.

Which brings up an important point to consider when "comparisons" are done. Do you count the default Red Hat install? The minimal for servers? All packages possible? Then, when you look at Windows, and try to compare it to this "Red Hat" that will vary depending on the whim of the tester, do you use the default Windows install? Or do you match up applications to the Red Hat you just made (i.e. install Office, Photoshop and other such to count against the "Windows" category?).

It is hard to make any sort of absolute comparison between the two, and all configuration and testing criteria must be considered with a critical eye to find out what is going on.

The report says much more than the news title puts out (which is really just a small section of the report).

uuuh, where are the flamers?

the people that would write "Thats because they have the most bugs!!!! M$ suxx0rs c0xx0r!!! Linux FTW!!!! RED HAT RULES!!!!"

When reading the headline, i was expecting at least 50 useless comments (like mine is) with a flaming content :p

Guess they must be sleeping hehe

(cybershark said @ #4)
How many more useless reports is Symantec going to publish?


It's your comment that is USELESS not Symantec's Report
How many more useless comments are you going to post?

(vlsi0n said @ #4.2)
I think it's great that they take the time to pull together such a resource. Don't read it if you don't like it.

+1 This is like reading a book, and after you read 50 pages, you find out it's crap, but you still finish it, just to complain about it afterwards

Just remember a lot of the time spent on getting a patch out to the public is because it goes through a LOT of testing... you can get patches from MS almost the time they know about the bug and figure out how to patch it via call to them... its when they are released to the public that takes the time because of extensive testing...

Ah, yes... Life is much easier if you just read the headline and accept it as an absolute truth without reading and applying a tiny bit of critical thinking and analysis.

(NPGMBR said @ #2)
Well what it means to me is that Microsoft gets patches out fastest.

If I wait until the last minute to announce on this message board that I was having a problem and then announce I've fixed it right after then yeah, it'll seem fast. But how do you know if I'm not telling you about all the problems I'm having if you can't see what I'm doing behind the scenes? How do you know if I'm not having the problem for longer than I've let you know about it? If there are a lot of people waiting to take advantage of the fact that I've got problems, then I'm not going to go around shouting it from the top of a mountain. So how are you going to really gauge how fast I can resolve all of the problems I'm having?

They announce that they're aware of the vulnerability directly before they aim to patch it, which is the most secure thing to do anyway, why leave your users out in the open? There may be tons of open holes that aren't being very quickly patched, but just nobody knows about except the company involved, but they aren't measuring the amount of time to patch these because they haven't been announced yet. So how is this really being measured, and how can we use this information anyway? Time to patch isn't the only important metric either, but amount of security holes, severity, complexity, etc.

Well it might not be an issue at the time and it is a lot of work to patch an os without having to patch something else the 1st patch fixed.

I agree with you Halcyon. This is a completely artificial way to measure. Interesting statistic to see, yes, but not the biggest determining factor.