 |
 |
|
May 05, 2004Comparing W2K and W2K3 vulnerabilities.During WinHec today Bill Gates showed an interesting slide comparing the vulnerability count between Windows 2000 Server and Windows Server 2003 in the first 365 days. Verdict? 42 for W2K, 13 for WS2K3.
Michael also posted an update on the Windows Server 2003 vulnerability count. Michael says that in the days of Windows 2000 Microsoft only had three ratings: Critical, Moderate and Low; and during the Windows XP and later timeframe they introduced a fourth level - Important, which sits in between Critical and Moderate. When they calcualted the Windows 2000 stats, they applied the same rules as they would have applied if all four levels were in place. In short, they re-evaluated the Windows 2000 bulletins in that time period and determined if each issue was critical, important, moderate or low. No trickery. No fun and games. Just an objective analysis using the same Windows Server 2003 rules. So there you have it. No conspiracy theory here. And from Bill Gates' slide you can see the difference since Microsoft introduced SD3+C into their operating systems. Posted by SilverStr at May 5, 2004 12:39 AM | TrackBackComments
Well, IIRC you posted something a while ago which compared the MS count of security problems and the reality, and found a bit of a discrepancy between the two.... so I'm not going to be taking Bill Gates' word (or a power point slide) as truth just yet :) Posted by: Arcterex at May 5, 2004 09:14 AMNor should you. However, hearing from Michael how they calculated it does give me more insight on how it was accomplished... and the numbers make more sense now. Posted by: SilverStr at May 5, 2004 10:46 AMI still have this feeling that they aren't telling us everything. It would be interesting to see compare the number of server installations after 300 days between Windows 2000 and Windows 2003. If people have been holding back on migrating to 2003, then there could well be many more lurking bugs just because there's 1/10 of the install base. Although even pretty graphs don't always tell the whole truth, I do agree that 2003 is more secure, is more stable, and performs better on the servers I have access too. Posted by: Wim at May 5, 2004 11:09 PMThere are 3 lines on that Graph. If you look real carefully you can see the line for OpenBSD. Its the flat one right at the bottem. Cheers IIRC, migration from NT4 to 2000 was pretty quick, since at the time NT4 was seen as pretty long in the tooth. 2K also introduced a number of features (notably Active Directory) that many CTO's saw a clear value in. There doesn't seem to have been the same rush at all from 2000 to 2003. I'd say that would be a large factor in the bug-finding department. Not the whole story of course, but I'd like to see the graph re-cast as "faults per install" rather than "faults over time." |
 
My 5 Favorite Books
Writing Secure Code
Secure Programming Cookbook Security Engineering Secure Coding Principles & Practice Inside the Security Mind
My 5 Favorite Papers
Smashing the Stack
Penetration Studies Covert Channel Analysis of Trusted Systems DoD Trusted Computer System Evaluation Criteria NSA Security Recommendation Guides
Archives
August 2007
July 2007 June 2007 May 2007 April 2007 March 2007 February 2007 January 2007 December 2006 November 2006 October 2006 September 2006 August 2006 July 2006 June 2006 May 2006 April 2006 March 2006 February 2006 January 2006 December 2005 November 2005 October 2005 September 2005 August 2005 July 2005 June 2005 May 2005 April 2005 March 2005 February 2005 January 2005 December 2004 November 2004 October 2004 September 2004 August 2004 July 2004 June 2004 May 2004 April 2004 March 2004 February 2004 January 2004 December 2003 November 2003 October 2003 September 2003 August 2003 July 2003 June 2003 May 2003 April 2003 March 2003 February 2003 January 2003 December 2002 November 2002 October 2002 September 2002 August 2002 July 2002 |
|
