It is no secret that I hate FUD (Fear Uncertainty and Doubt), nor is it a secret that I have been trying to (in whatever small way I can ) debunk much of the FUD about Microsoft and Vista in particular. Well now it seems that I have some actual research to back up my claims that "Vista and MS aren’t as bad as people perceive".
According to PC World, IBM has released their Security Report for this year. The Shocker? Well it would seem that the Fruity/Feline OS is at the top of the list for security bugs last year.
That’s right they took over the top slot, while Microsoft fell to third behind Joomla (an Open Source Product).
According to the IBM X-Force 2008 Mid Year Report Apple had a Vulnerability Disclosure of 3.2 percent, Joomla 2.7 and Microsoft 2.5.
IBM was in fourth with Sun in fifth (Sun is a new comer to the top 5). The entry of Joomla is due to IBM adding Common Platform Enumeration into the X-Force database. This added Joomla, WordPres and Drupal. These are primarily here due to the increase in Web application flaws, Cross-site scripting and SQL Injection account for 51% of all vulnerabilities.
For Public Exploits Microsoft held on to number one followed by HP and Apple. This Trio made up for roughly Half of all Exploits found in the top 10.
IE and FireFox both showed drops in critical vulnerabilities, with six memory corruption ones each. This is down from 20 (IE) and 8 (FF) in 2007.
Interestingly enough Firefox came in behind IE with one security zone bypass and a miscellaneous vulnerability while IE had neither of these as of this report. In 2007 FireFox had 11 security zone bypasses and four buffer overflow flaws.
So it would seem that while we have been told by countless sites that Vista is flawed, open and full of holes, the true facts do not bear out this impression.
For those of you that will bring up the public exploits numbers, These numbers are somewhat arbitrary, IBM includes all exploits that were publicly released (announced not actually put into action) that contain proof of concept code or that contain enough information that someone else could put together proof of concept code. Meaning that any public disclosure of an exploit is more than likely listed weather or not it is actually released. The vulnerability disclosure is the list of actual (or real) exploits and security vulnerabilities that truly exist.
You can read PC Worlds article here or just grab the IBM report here