FUD: Windows is "most secure OS"

Andy Patrizio has an incredibly sloppy story entitled "Surprise, Microsoft Listed as Most Secure OS" at internetnews.com, which purports to summarize the recently released Symantec Internet Security Thread Report Volume XI. But if you look closely at the actual report (PDF), you'll see that this claim that Windows is "Most Secure" is based merely on Microsoft's relative speediness in patching security holes. That is, what apparently makes Windows "most secure" is that in the Jul-Dec 2006 timeframe Microsoft took an average of only 21 days to patch holes, while Red Hat (linux) took took 58 and Apple took 66. Okay, so Microsoft is best right? But that's silly, why would the speed of responding to holes by itself determine which OS is most secure? It should clearly matter how serious the holes were in the first place! If you're slow to patch relatively innocuous holes, is that not better than quickly patching a larger number of more serious holes? And when we look at the breakdown we see that in this period Microsoft had 39 disclosed vulnerabilities, and "12 were considered high severity, 20 were medium." Apple, on the other hand, issued 43 patches, and only "one was considered high severity, 31 were medium." So basically, Microsoft is quicker at patching 12 times as many high severity vulnerabilities, and that apparently makes Windows "more secure."

Now it's worth noting that none of this settles the question of which OS is more secure, but it does show the completely specious reasoning behind that headline claiming Windows is the "Most Secure OS." And of course it's this sort of lazy reporting (compounded by Patrizio's sniffing at Apple's advertising of better security) that creates a meme that others may pick up and pass on without quite realizing that it based on a straightforward misreading. In other words, it's pure FUD.