Patch development time for operating systems in Symantec's visionWindows, Mac OS X and Linux have long disputed superior positions in comparison to one another, in what is essentially a race without a finishing line. Microsoft, Apple and members of the open source community involved in the development of Linux distributions have not been shy of performing countless operating systems measuring contests designed to judge everything from performance to security. One aspect of the security each platform delivers is the quantity and risk level of vulnerabilities, as well as the open window for attacks each vendor allows for its products. According to security company Symantec, Microsoft's Windows operating system is the least exposed to attacks targeting security vulnerabilities out of a number of products including Apple Mac OS X, Hewlett-Packard HP-UX, Red Hat Linux and Sun Microsystems Solaris.
"The time period between the disclosure date of a vulnerability and the release date of an associated patch is known as the patch development time. If exploit code is created and made available during this time, computers may be immediately vulnerable to widespread attack," Symantec revealed in the Internet Security Threat Report Volume XIII: April, 2008. The report is a complex perspective over the security trend between July and December of 2007.
"Of the five operating systems assessed in the last six months of 2007, Microsoft Windows had the shortest average patch development time of six days based on a sample set of 22 patched vulnerabilities. None of the vulnerabilities affected third-party applications. This is shorter than the average patch development time of 18 days in the first six months of 2007, based on a sample set of 38 vulnerabilities, including two vulnerabilities that affected third-party applications," Symantec revealed.
If Microsoft patched all the vulnerabilities in the Windows platform in just six days, Red Hat, the runner-up in terms of OS patch development time, would have an average of 32 days. The open source vendor had to deal with no less than 136 vulnerabilities, but with not a single one affecting its distribution of Linux, and only impacting third-party components.
Apple, the maker of Mac OS X, not only had to plug more vulnerabilities in its operating system compared to Windows, but also spent approximately 13 times as much as Microsoft doing it. "Apple had the fourth shortest average patch development time during this reporting period. Its average was 79 days for 86 vulnerabilities, including 47 third-party vulnerabilities. This period is longer than the 43-day average recorded in the first six months of 2007, during which the average was calculated from a sample set of 59 vulnerabilities, nine of which affected third-party applications," Symantec revealed.
The third shortest OS average patch development time for patching security holes belongs to HP that resolved 21 issues in 59 days. Sun was last allowing a window of attack of no less than 157 days for 27 vulnerabilities. "Microsoft fares well in this comparison because it does not generally maintain many third-party applications," Symantec added.