You know what metrics would also be helpful? Data sampling and estimating of the actual propagation of exploits (or if it is a trojan, one could do a crawler that tests for its propagation and totals it...)

This is a good analysis, but comparing OS numbers is not feasible, given that Microsoft has publicly admitted that they do not announce vulnerabilities that they discover themselves, whereas the Linux vendors/distros use CVEs to help them communicate with each other. These inconsistencies in vendor disclosures wreak havoc on raw numbers. See my open letter on vulnerability statistics for more difficulties in using these kinds of statistics. They are suggestive but not authoritative.

For those that noticed, the 2003 dip in statistics is due to CVE's own limitations that year; other databases do not have such a reduction for that time period.

Steve Christey
CVE Editor

----------
Roger's reply:

Microsoft has assigned a CVE to every exploit announced this year, whether they discovered it or not. Every MS06-xxx security patch has a CVE number associated with it. Further example, MS06-013 (http://www.microsoft.com/technet/security/Bulletin/MS06-013.mspx), an update covering multiple vulnerabilties has a separate CVE number associated with each vulnerability patched, regardless of whether MS discovered it or not.

reminder: as Strategy Director in the Microsoft Security Technology Unit, he is "a bit" biased.... Big grain of salt required.

Roger's reply:
I mentioned in the blog entry that he worked for Microsoft.

He can be as biased as he wants, but he's using publicly available statistics that you can collect and analyze yourself. Again, numbers alone don't come close to painting the whole story, but I do think it at least shows, as I state, that the other popular OSs aren't doing a much better job on the security front. They are all very exploitable.

[--Roger's replies inline]

Is IE considered an application or part of the OS?
--Microsoft would probably say both, although they are definitely being separated in this particular study and they are separated in Vista.

Or if the exploit uses ActiveX via IE is that an application exploit?
--Dependings on whether the control is delivered via IE...I would hazard to guess. There are dozens to over a hundred ActiveX controls on the typical Windows system that have nothing to do with IE.

Are these applications that are available on every platform?
--Some are (e.g. Adobe Acrobat, Macromedia Flash, RealPlayer, etc.), some aren't.

"What is an exploit?" also begs the question.
--That't an entirely different column and blog post. I'm guessing the (independent) maintainers of the CVE list have some say so in what is considered an exploit.

Is it something that someone at the Blackhat conference thinks may be exploitable (some of which have turned out to be bogus) or is an exploit something that has been exploited?
--It doesn't make it to the CVE list until it is real.

This smells totally of Microsoft's "Getthefacts" campaign.
--Jeff Jones' blog might be under that umbrella. I think he's actually a major part of that, so that's not out of the realm of truth. My blog entry certainly isn't. I talk about the good and bad of every platform I use (Windows, Linux, Unix, etc.). An exploit is an exploit, regardless of the platform.

In the field, an exploit is something that has been exploited. We have about 20,000 Wintel servers and another 10,000 Unix servers
(Solaris, AIX, Linux, Tandem, DEC). They are all running similar applications for the business. Meanwhile, a recent year-old exploit crashed over 9,000 of our Wintel servers and never touched any of our other servers.
--So, you're admitting that you didn't patch or secure your servers against a known exploit for over a year? You're a brave poster.

Kind of blows the charts theory that applications have such a high percentage.
--Kinda blows my mind that you and your company didn't patch your servers for over a year or take an offsetting protection since it was obviously high risk for your environment. Are you blaming Microsoft for that?

In the real world we are looking at the cost of exploits. And right now, the people we have supporting the server environments are spending 95% of their time dealing with Windows workstation and server exploits.
--That's appropriate since 95% of the world's desktops are Windows desktops.

Our business suffers major downtime due to exploits that have been exploited.
--No business I manage or advise has had this sort of problems for years. What are you doing wrong?? Look within. Don't blame others for you not patching your servers.

The exploits that cost us millions of dollars every month are inherently on the Microsoft platforms.
--Unless you are running OpenBSD, you're running an exploitable platform too. I meet guys like you all the time...who keep claiming how secure their Linux/Unix/Solaris stuff is. Then they challenge me and I break in just as easy as if it were Windows. Don't believe me. Challenge me in writing. Get mgmt to give me written approval to attack your network. All I need is 24 hours. I've been challenged many times over 9 years, and most environments fall in under an hour. The sad part is I'm only a mid-level pen tester. God forbid how easy the good hackers must have it.

That's the bottom line for us. In the six years I have been with my company, we have not had a single exploit problem with any Unix or Linux platform whether it was on a server or a mainframe. Meanwhile, we've spent hundreds of thousands of man-hours remediating Microsoft
problems.
--I've not had a single malware outbreak or hacker exploit on any environment I've managed going on six years now. Not on Windows or Linux. I keep them both secure. How come your company is doing such a bad job on the most popular platform?

Which would you choose?
--I use both Windows and Linux. I use the right tool for the job.

There is no excuse for Microsoft. A lot of their problems result from being copied from crappy DOS code. Stuff that many of us systems people have seen as bad code for more than 20 years. Microsoft has had more than 25 years in some cases
to fix their code. They never did. Meanwhile, most 5 or 10 year old OS's have addressed the same issues in a matter of months.
--Please challenge me to break into your network and you can try to break into mine. Let's put money on the table and stop all the emotional nonsense. If Windows is so easy to hack, let's see you do it. If you think Linux/Unix is so easy to prevent hacking, challenge me to do it against your environment. Roger

I think this is likely true, but hardly surprising given that Windows XP has been out for over half a decade -- seems like most of the holes would be patched by now.

-----------
Roger's Reply: Linux has been out longer and it still has more announced exploits and holes. The TCP/IP protocol has been out for over 20 years and people are still finding new big holes. Your point isn't much of a point.

The whole thing about patching: Windows patches often breaks third party applications, which are prevalent on a Windows platform and go to make up part of its allure. For instance, I found a patch disabled AVG AntiVirus; I personally don't use or recommend AVG, but it illustrates why people don't apply patches -because their organization's testing lab is often way behind on validating patches -probably the case with the gentleman above. How often have we come into a fogey corporate environment and find them to be running antiquated applications??
And when we ask why aren't they using a version of an app that has been out for at least six months, we hear, "oh, IT hasn't approved it yet; they are still testing it to make sure it works with all the other apps..."

On the other hand, RedHat is sheparding many of the server-oriented applications, and patching is well coordinated between all the applications that RedHat supports. One advantage that RedHat and other Linux distros have is that they are better at tolerating downlevel libraries -Windows likes to force developers to be using the latest and greatest. We know there are pros and cons to both of these approaches; but lack of support for downlevel libraries becomes an update hassle.

In fairness to Microsoft, if RedHat was hosting as many specialized aftermarket apps as Windows was, I'm sure we would see a lot more yelping about things breaking when RedHat would come out with their patches. But similar to Mac, RedHat has it a bit easier, since they are now delivering many of the (SERVER-SIDE!) apps that people need. I find at most people will drop mySQL, a Mail server package, and/or some monitoring software onto a RedHat box.

Heavy rests the head that wears the (app) crown...

P.S. I used RedHat as a specific example since I find that is used in most US corporate environments; SUSE and other distros have their strong points over RedHat, but I figured I would stick to one distro example here to avoid a discussion of special cases...