F-Secure has a real knack for creative sarcasm on it's security weblog, and today is no exception in their headline linking to an interesting report. Apparently, a study has been published showing the relative number of vulnerabilities, comparing Windows 2003 Server to a Linux distribution in several configurations.

Update: In a won't-really-build-confidence-with-the-common-folk move, apparently the researchers did not reveal at the RSA conference that this study was funded (but according to the researchers, not influenced by) Microsoft. They reveal this fact in the published study itself, but did not tell the audience at the conference when they presented the results. Read more here.

Get the PDF file of the study here. For a document describing the methodology in detail and for more information (including an email address to provide comments), go here.

F-Secure used the headline, "It's Official - Linux Sucks?" No doubt others will comment that the reality of the situation is that Windows is better for stupid people (meaning people who don't harden their machines). Flames will go forth, but you can't deny the report.

The end result of the study is that Windows Server 2003 was more secure than the Linux distributions tested.

Uh, heh... That should make a few people stand up and scream.

Using out-of-the-box, standard/recommended OS installs, the researchers found that the Windows 2003 server was more secure, with less vulnerabilities counted and a lower average for days of risk, when compared to the Linux distributions tested (Red Hat Enterprise Linux in default and "minimal" recommended configurations):

"In this report, we have studied both quantitative and qualitative data that affects the vulnerability and thus operational security risk of different web server platforms. In order to produce a meaningful comparison of platforms, systems were tested in their default configurations and then looked at in minimal server role configurations. When the default configuration did not provide for a functional web server, systems were configured according to manufacturer’s directions."

For a quick Readers' Digest style overview of the result of the study, get the free PDF of the report and flip down to page 35 and look at the charts on that page. I won't post all the images and tables here, that's what the report is for.

In reality, this is a complex study that is worth reading. The methodologies applied appear to be good ones, and the results are pretty compelling. The real world is never as simple as s lab environment, but if nothing else, this certainly shows how far Windows Server has come over the years (or else it shows how poor Linux distributions have become, or maybe some of both).