Apologies in advance for this lengthy and geeky post, but I decided to take a look at Secunia's advisories for 2006.
Microsoft Windows Server 2003 Enterprise Edition:
36 Secunia Advisories in 2006; 9% unpatched (11 of 119); most critical unpatched is rated "Less critical"
Linux Kernel 2.6.x:
44 Secunia Advisories in 2006; 16% unpatched (18 of 113); most critical unpatched is rated "Moderately critical"
Windows 2003 certainly looks better than Linux Kernel 2.6, based on those statistics (probably best not to look at how critical the patched problems have been, as Linux problems tend to be DoS more than root privilege). Let's take a closer look at more of Microsoft's products.
Advisories for 2007:
Windows XP Pro: 9
Vista: 2
Office 2007: 0 (0 ever)
SQL 2005: 0 (0 ever)
Exchange 2003: 0
IIS6: 0
WMP10: 0
WMP11: 0 (0 ever)
AutoRoute 2006: 0 (0 ever)
AutoRoute 2005: 0 (0 ever)
BizTalk Server 2006: 0 (0 ever)
DirectX 9: 0
IE7: 4
ISA Server 2006: 0 (0 ever)
ISA Server 2004: 0 (0 ever)
MSN Messenger 7: 0 (0 ever)
MSN Messenger 6: 0
Outlook Express 6: 0
Virtual Server 2005: 0 (0 ever)
Visual Studio 2005 : 0
Visual Studio .NET 2003: 1
Windows Desktop Search 2: 0 (0 ever)
Windows Live Messenger 8: 0 (0 ever)
Notice how the only ones that have ever had errors are essentially Microsoft products that were designed before 2004 (SDL began in 2002). Practically all of the 2006/2007 versions of products are fine (the exceptions being Vista and IE7, which have had pretty much the entire world looking at the RTM code, as researchers look for fame... I mean vulnerabilities). Very few problems have been found in any of their products since 2005.
Looking at Apple, as there are too many Linux distros - often with third party packages installed by default - to compare in a meaningful way, we can see:
Apple Macintosh OS X:
24 Secunia Advisories in 2006; 17% unpatched (17 of 99); most critical unpatched is rated "Highly critical"
Windows 2003 only had 50% more advisories than OS X in 2006, which is still quite bad, but it probably shows that OS X isn't quite as secure as Apple likes to make out.
Let's take a look at Secunia's advisories for Apple in 2007:
OS X: 12
iCal: 0
iChat: 2 (Month of Apple Bugs - MoAB)
iLife iPhoto 6: 1
Quicktime 6: 0
QuickTime 7: 2
Remote Desktop 3: 0
Software Update 1: 1 (MoAB)
iTunes 6: 0
iTunes 7: 0 (0 ever)
Quicktime Streaming Server 5: 0 (0 ever)
Safari 2: 1
So in 2007 there have been more vulnerabilities found in OS X than XP Pro. To be fair, the MoAB didn't help as this raised a lot of issues, but this is partly why I also looked at the statistics for 2006 as it's before MoAB came along. But I think there's a reason why there isn't a MoWB (Month of Windows Bugs), as there aren't many to find. Even the MoKB (Month of Kernel Bugs) only picked up one Windows vulnerability, and that didn't apply to 2003 or Vista as it's already been fixed, the rest were mostly Apple and Linux (or third party drivers).
Apple's IM program has an error (WLM8 has none, nor did its predecessor MSN7). Their browser (Safari) only has 1 error, which is quite impressive, but IE7 is still fighting a legacy background where it interacted with pretty much everything, with many applications relying upon this interaction and the various quirks from over the years. ActiveX support is (AFAIK) also lacking from Safari, which is the main reason why IE7 has so many problems.
The funny thing is that IE7 is attempting to move away from native support for things like FTP, and this has actually annoyed many users (wasn't it the EC that said IE shoudn't be so tightly integrated with the OS?), leading to
KB article 928675, Separation of Internet Explorer 7 from the Windows shell:
In Windows XP, you can seamlessly browse Web pages and Windows folders in-place. This behavior occurs because Internet Explorer 6 and the Windows shell were basically the same program but used different user interface (UI) entry points. A key principle of Internet Explorer 7 is that the installation of a new version of Windows Internet Explorer does not update the Windows shell. Such behavior would have a large effect on the user experience, on functionality, and on stability. Therefore, the components that were previously shared with the Windows shell, such as the main window, the Address bar, and the toolbars, are not updated for Windows XP with SP2 and for Windows Server 2003 with SP1. Instead, Internet Explorer 7 installs newer components for its own use. This behavior significantly reduces compatibility risks and the need for corporate customers to test the Windows shell for Windows Internet Explorer updates.
...
Microsoft is aware that several customer scenarios have been adversely affected by the decision to force browsing into a separate process. In particular, FTP folders and Web folders frequently relied on in-place browsing to preserve context such as authentication state. FTP folders now interact with servers differently than the FTP folders did in classic FTP view. FTP folders and Web folders are arguably the features that best demonstrate the power and the versatility of a Web browser that is integrated with the Windows shell. We have received feedback that the separation has caused problems for customers who are heavily dependent on the integration of the Web browser and the Windows shell. We are continuing to gather feedback and will research workarounds for compatibility issues that result from these major architectural changes. When we have more information about customer scenarios, we can improve the behavior of features that overlap the boundary between Windows Internet Explorer and the Windows shell. However, we believe that the separation of these components will lead to a more innovative and flexible Web browser.
Of course, some people don't like statistics (and some drunk people will even call me a f**king idiot, but thankfully I didn't take it seriously, and I tend to enjoy our heated debates), and I must admit they don't always show the true picture. Especially when you have to consider the motives for discovering vulnerabilities. Microsoft tend to be more proactive at announcing patches. They communicate well with researchers, making them more likely to want to research and disclose vulnerabilities. They get a lot of attention (both from researches and malware writers) because they are responsible for the most popular OS and office software. It's hard to compare security between an operating system that makes up the overwhelming majority of desktop installations and a manufacturer that made up 3% of computer sales last time I looked (and probably less than 1% of daily computer users?). When Apple doesn't have any office software, how do you compare vulnerabilities in Word? You could compare MS Office to applications like Open Office, but the latter is fairly well written open source software from a third party. If it's well written (and Open Office is pretty good) Apple and the Linux community can push how good it is, if it's badly written they can simply blame the developers. Microsoft do have separate OS and application developers, partly because of the many anti-trust cases over the years, but the public lump the two together. Can you really blame Windows for all the vulnerabilities found in Office? If the user installs Open Office on Vista, can Apple really claim it's that much safer to use OS X? Surely it's vulnerable to the same third party issues? Do you blame PHP for all the vulnerabilities found in PHP based web aplications? Okay, so some people do, because some of the default security settings are still a bit lax.
Viruses are now attacking third party software, such as Symantec's AV, to get access to modern systems. AV software tends to have the holes nowadays. In many cases the AV products are more harm than they're worth, creating insecure directory permissions on both *nix and Windows, suffering from buffer overflows, and allowing privilege escalation. You can almost guarantee they'll scan a program/malicious traffic as it enters the computer, and they typically run in the kernel. This applies to both *nix and Windows.
The recent petrol scandal has led Morrisons to run adverts about their nice reliable petrol - even though silicon isn't something that is routinely checked for by any of the supermarket petrol stations - and it could have just as easily happened to them (people using Symantec AV vs people using McAfee). Diesel users (e.g. OS X) could also have a bad batch delivered to a petrol station. Silicon doesn't affect older cars that don't have the sensors, just like modern exploits don't affect 9x users, but who wants to drive an old car/run 9x? I'd rather have ABS, power steering, air conditioning, electric windows, and run the tiny risk of a sensor going wrong.
Most new viruses (such as the incorrectly named Storm Worm) still rely on old unpatched systems being on the web: Storm Worm sets up a server FTP thread and starts to scan 10,000,000 IP addresses in an attempt to find a vulnerable system at one of the targeted addresses (you're more likely to find a Windows box with IIS than an Apple box, so the worm theoretically spreads quicker). The vulnerable systems that it targets are Microsoft IIS installations (versions 4 and 5) that do not have the security patches installed to cover the "Web Server Folder Traversal" security vulnerability as described in MS00-078 (yes, a patch that came out back in 2000, and well before Microsoft's Secure Development Lifecycle began in 2002). No wonder Apple like to quote how many viruses there are for Windows, when most of the new ones won't cause any problems for users that have applied a patch from
seven years ago, assuming they even enabled IIS (off by default). And it doesn't apply to XP or Vista, which is what most home users have. To be fair, if they hadn't applied any patches since 2000, it's probably easier to attack the servers using LSASS or PnP. Perhaps they're hoping administrators will have missed an old patch?