April 02, 2004, 11:32 AM — A new study from Forrester Research Inc. has concluded that the Linux operating system is not necessarily more secure than Windows. The report finds that on average, Linux distributors took longer than Microsoft Corp. to patch security holes, although Microsoft flaws tended to be more severe.
But leading Linux vendor Red Hat Inc. said that while Forrester's underlying figures were sound, its conclusions didn't give an accurate idea of relative security, as they failed to distinguish between patch times for critical updates and routine, obscure problems.
The report arrives in the midst of a fierce debate around the relative merits of Linux and Windows, and follows a number of reports perceived to have been slanted in Microsoft's favor. Last October, Forrester forbade its customers to publicize studies they had commissioned; it made the move partly because of criticism of a report from Forrester subsidiary Giga Research that found some companies saved money by developing with Windows rather than Linux. Forrester said it stood by the integrity of the study, but had erred in allowing Microsoft to use it in anti-Linux advertising.
Forrester's report may lend credibility to Microsoft's ongoing efforts to play down security concerns about its software. A new tactic in that battle has been to compare how long it takes for various operating system vendors to patch flaws -- the "days of risk" for each operating system. Microsoft's argument is simple, said Bradley Tipp, Microsoft