Linux – Get the Facts

Steve Ballmer sent out an executive e-mail today that discusses a number of independent analyst reports and customer case studies that compare the cost of deployment and maintenance of Windows vs. Linux and UNIX.

Some of the studies were commissioned by Microsoft, while others were initiated and funded by the analysts. In each case, the research methodology, findings and conclusions were the sole domain of the analyst firms.

One of the interesting facts from the Microsoft get the facts web site (a non sponsored report by Forrester) is the number of security vulnerabilities found on Windows vs Linux, not only did Linux have more security vulnerabilities than Windows, but Microsoft produced patches or updates quicker than the Linux community – so what does this mean? – There’s a common perception that Linux is a reliable/secure operating system, if there are more security vulnerabilities in Linux then how can that be the case ?

Related to this is the myth surrounding Linux and real-time support – it’s interesting to note that Linux is not a real-time operating system – this from the guy that wrote the book on Building Embedded Linux Systems.

Interesting, eh?

– Mike

Comments (21)

  1. Jerry Pisk says:

    Microsoft does not get the patches out faster. If you actually took the time and read the story it clearly states that it’s time from disclosure to fix. For example, the GDI+ vulnerability was disclosed by Microsoft on September 14, 2004, with the fix released the same day (even though it had to be re-released later). However, the vulnerability itself is known since March 11, 2004 (, which means Microsoft took over 6 months to release the fix. There’s your facts.

  2. Martin Alderson says:

    Or you could stop trying to pull down a great achievement of a (mainly) volunteer project.

    Why don’t you focus on actually _competing_ with Linux, making your own products better, instead of publishing dodgy stats that are fundamentally flawed and make very little difference in peoples thoughts on Linux.

    This is the sort of crap that makes people hate Microsoft. With the millions of dollars spent arranging the roadshows and publishing this crap, you could of hired some developers to finally fix the IE PNG problem, b0rked box model among others. Maybe you could also implement some CSS3, but that’s too much to ask for the mighty Microsoft which is above fixing products and saving hours upon hours of developers time and would rather spend money on efforts like this.

    Oh also, I do actually really like Windows XP. I think it’s Microsoft’s best product, but this sort of stuff makes me crazy. Why do you need to do this all the time? Why can’t you just fix the problems and maybe improve them a bit.

  3. sickofmicrosoft-drivel says:

    When are you idiots at Microsoft going to pull your heads out of your asses. Make your damn crap compatible with the rest of the world or just shut the f*ck up!

  4. Stu Fox says:

    What’s interesting is that regardless of perceived severity of bugs and patch turnaround, the Windows operating system has been the target of far more devastating attacks with far greater effects than any Linux box. Now I realise that there are other factors at work (like the fact that there are hundreds of millions(?) of Windows clients machines out there, and relatively few Linux machines, but the fact remains, Linux has not been subject (or even vulnerable) to the same sort of remote attacks.

    The sooner people like Steve Ballmer stop peddling obvious bullshit like this, the better. Then we can take the Microsoft security story seriously. As it is, it’s laughable listening to him.

    My background: 9 years almost solely focussed on the Windows platform. I think Microsoft do great products, but I think people like Steve Ballmer need to shut up and start driving code quality.

  5. just ask stevie says:

    Ballmer once said that Linux doesn’t scale.

    Linux is now "the" fastest computer on the planet

    with NASA’s 10,000 way.

    Ballmer has no credibility.

  6. Get this fact says:

    SuSE is beating the pants off of Windows Server 2003

    Ballmer is an idiot,

  7. Jerry Pisk says:

    Stu – there are basically two things that make Linux more secure these days. First one is the installed base. If you’re trying to hack a system most people go for the one where they can cause the most damage, the one that’s most used. But the second issue comes to play – Linux is, at least for now, the domain of people who understand it, who make the choice to use it. As such, they’re lot more likely to use it in a secure way than users who have no clue about computers or security. If Linux was used by BFUs then it would be as unsecure as Windows is, they would sudo few times and then just run as root all the time, because it will make their lives a lot more convenient (and please, don’t argue with your relatives that have you to solve any issues).

    But I really wanted to point out the main issue – whatever Microsoft posts on their site is simply not independent. At the same time, neither is stuff posted on *nix advocacy sites. If you want the truth you just have to learn to read the marketing-speak.

  8. Stu Fox says:


    I don’t buy that first argument for a second. If the most used argument came into play, then Apache would have been responsible for something like Code Red by now. It hasn’t, and isn’t likely to be in the future either. What worm writers have gone for are easy vulnerabilities to exploit – the fact that Windows has a large install base just makes the damage worse. Microsoft have tried to use this argument before, and it’s bogus.

    The second argument I have sympathy for – the technical skill of the large majority of Linux users is higher, and the base level install is (was) generally more secure than a base install of Windows. That’s changing, and that’s a good thing.

    As for users running as root, that’s actually not an issue in a lot of cases. Remember Blaster? Didn’t matter what you were logged in as, it was a system level compromise requiring no user input to exploit. That’s the area where Linux hasn’t been anywhere near as vulnerable – remote exploits are relatively rare.

    Also, just because something is true on Windows, doesn’t mean it will follow on Linux. The fact that so many users run as Administrator is because for many years, that was the only option you had as Microsoft didn’t have their act together – this too is improving, although anyone running JDE will agree that there are some vendors who need a kick in the head. In general, Linux provides a better user/administrator separation.

    My main beef wasn’t that one operating system is more secure than another, just that Ballmers statements are getting more and more laughable.

    Again, let me point out my background – almost exclusively Window for nine years. I don’t buy into the OSS as religon thing, it’s an interesting development methodology, but taken to it’s logical conclusion it’s harder for developers to eat…As I’m not a developer, I don’t care either way, but it doesn’t add up. I view Linux as cool technology that will definitely be making bigger inroads in the next few years, and well worth learning about.

  9. Mike says:

    One thing to bear in mind here even if you totally ignore the Windows/Linux discussion is that the analysts published *their* findings – how do you dispute the analyst findings ?

    – Mike

  10. Stu Fox says:

    The analyst findings are quite easy to dispute – they use the wrong measure – and they’re plaing wrong in some places.

    The first issue isn’t time between public disclosure and fix, it’s between vendor disclosure and fix – the recent ASN.1 vulnerabilty was known about by MS for over 200 days before we saw a fix – bad. There were IE vulnerabilities that were public (used to be available on the PivX website) that Microsoft hadn’t fixed – who knows how many of them remain?

    Then you get statements like this from the MS summary: "Windows has the fewest vulnerabilities and the fewest "high severity" vulnerabilities of any platform measured." whereas the document actually says: "However,

    Microsoft needs to work on its percentage of high-severity vulnerabilities: ICAT

    classified 67% of Microsoft’s vulnerabilities as high severity, placing Microsoft dead last

    among the platform maintainers by this metric."

    And after all that positive talk about how great Microsoft is, we still haven’t seen an issue anywhere near the severity of Blaster in a Linux environment.

    I realise I’m sounding negative here, but to gloss over the facts without accepting some of the realities is naive. If you want to contact me off list to discuss this, drop a message back.

  11. MCSE says:

    I’m an MCSE, but have become sick and tired of having to support "McSoftware". Give me Linux anyday – at least the Liunx community is free of gobshites like Ballmer

  12. Mike says:

    again, let’s step away from the slanging match and look objectively at the analyst data – Stu has mentioned that the analysts are looking at the wrong data, since the analysts looked at this issue and derived their own conclusions it does make me wonder why every analyst would look at the wrong data or come to a conclusion that doesn’t stand up to public examination – that just doesn’t make any sense to me.

    – Mike

  13. domovoi says:

    Stu Fox:

    Generally when Linux vulnerabilities are uncovered, there isn’t as much press written about it (no implications of conspiracy theory, it just makes sense for more mainstream publications to write about the mainstream OS). Look at all the press for the recent JPG vulnerability, and compare that to the amount of press generated for a similar vulnerability with BMPs in one of the libraries for Linux.

    Also, there are a number of issues with comparing Web Servers to Operating Systems, such as the amount of bandwidth available for a Web Server and the size of the target (you’ll note that most of the Fortune 1000 runs IIS). Finally, there is the fact that IIS5 was garbage security-wise compared to Apache. However, such a thing can’t be said when looking at the patched vulnerabilities between Windows and Linux + modules.

  14. Stu Fox says:


    Can you dispute the fact that there is a difference in the time that the public knows of a vulnerability and the time that Microsoft knows about it? Because in the case of the ASN.1 vulnerability, we didn’t know about it until the security bulletin came out, yet Microsoft knew about it for over 200 days. There was another one recently – also notified by EEye – that was in that area of days.

    Can you dispute the fact that until recently PivX ran a site listing all the unpatched vulnerabilities in IE?

    The analysts conclusions might be correct if you take a narrow view of the data, but if you look at the bigger picture, it doesn’t look so good.

  15. Stu Fox says:


    You said: "However, such a thing can’t be said when looking at the patched vulnerabilities between Windows and Linux + modules."

    This is an interesting argument, and again is commonly used to misrepresent statistics. A base Linux distribution ships with hundreds and hundreds of different modules, of which only a certain number are actually installed. It’s all about interpretation – a serious vulnerability in a component which is not installed by default and only used by a small subset of users is not anywhere near equivalent to a major flaw in (for example) ASN.1 in Windows. Raw count is not a good metric.

    Let’s face it – Microsoft’s security record is lousy and is slowly but surely improving. However, rhetoric like Ballmer’s is totally unhelpful and just serves to make it seem that Microsoft execs don’t actually understand the problem is with their operating system, and not with their competition.

  16. Steve Ballmer says:

    Hey Everyone,

    Great thread! I just wanted to remind you all that what we need to combat software piracy is cheaper hardware!

    Keep up the good work,


  17. Mike says:

    Compatibility ?

    One of the posters above suggested that MSFT makes it’s operating systems compatible with other operating systems, what’s missing from Windows CE or Windows XP/Embedded to make these operating systems "play nicely" with other vendors operating systems ?

    – Mike

  18. I know stuff you don't... yet. says:

    You need to know a few things…

    No matter what Microsoft does, it tries to look for monetary gain before it does it. That is the reason so many of the great companies in the 90s were bought, integrated, and annihilated by Microsoft. Microsoft wants to make sure there is no competition… there was no question of improving their own products… it was all about making most end profit in the least time. Microsoft now is trying to degrade Linux because Microsoft’s "charm" and strength had no influence with GNU and its famous GPL. Besides… Linux is free… I run my own server… I don’t use Suse, Mandy, or Red Hat… I use Slackware and BSD… they are superior in all regards to Microsoft’s products. And Microsoft can’t say anything bad about them because it can’t FIND anything bad… it just isn’t possible unless Microsoft invents the stuff as it had done with the commercial Linux distros.

  19. lol! says:

    There is absolutely no credibility with old Microsoft… I have respect for Bill Gates, but not for Ballmer…. Microsoft lost already… the second they reacted to Linux, they lost everything… Good Game…

  20. Mike says:

    I’m still interested to know what Windows/Embedded operating systems are missing – one of the comments mentioned that Windows isn’t compatible with other operating systems – so what’s missing ?

    – Mike

  21. Geoff says:

    Novell (current owners of SUSE Linux distro) have a page where they convincingly refute Get the Facts.

    Obviously, they’re not an impartial party but it doesn’t make Microsoft look good, at all. Also, particularly earlier in the campaign, a heck of a lot of it was Microsoft commissioned. Which doesn’t inspire confidence – though they backed off from that after it went down badly.

    It’s always hard to tease out what is solid evidence of general and objective superiority, and what is hand-picked data or measured by a flawed metric.

    However, the impression I have is that Microsoft is far bigger than the established Linux companies in the dirty tricks department. There are some counterexamples, of course, like the JBoss stuff (employees of an open-source Java enterprise platform being caught repeatedly and obnoxiously taking astroturfing to new heights) but they seem isolated and unrelated to the actions of established players like the major distros. And, of course, Microsoft marketing is also known for a tendency to astroturf.

    According to

    nearly 70% of webservers are running apache. Versus a little over 20% for IIS. Given that Microsoft has implied open source is inherently less secure due to public visibility of source and that it is inferior to its own products, you would expect the media frenzy of stories of security flaws, the big worm disaster episodes to be substantially about apache (even if IIS had triple the market share), because it’s not only open source, it’s a more lucrative target. They aren’t. The whole ‘Oh but there are 10x the number of people on closed source system whatever, if the numbers were reversed, you would see the opposite’ ain’t necessarily so at all – though I’d agree installed base has some effect.

    I’ve had a love-hate relationship with Microsoft products, and it was tending towards amiability tinged with mild distaste. Get the Facts came across to me as a sleazy smear campaign, a corporate bluster-fest that doesn’t seem to involve any integrity or fair inquiry at all – it has damaged Microsoft in my eyes.

    Of course, if they have a convincing and factual response to their detractors, I’d be happy to listen, but I don’t expect one. And I haven’t seen one.

    On an orthogonal note, I’m on a linux machine now, in a heterogenous environment – and it boots up about 35% faster than an XP machine on slightly better hardware, and shuts down in less than half the time (boot and shutdown are to GUI desktop loaded) not to mention being very stable, fast and satisfying to use. It doesn’t get viruses or adware. I like it. It works good. I don’t think it’s for everybody, yet, and some Linux distros are bloatware-gone-critical that makes XP look svelte, but the Linux destop really does just keep getting better.

    By the way Mike, I think the poster swearing about compatibility was on a random "Microsoft is the evil violater of all standards and interoperability" trip. I don’t think they have a specific example, and I don’t think it relates at all to the embedded. I’m not involved in embedded stuff at all myself.

    I must say though, in other sectors, Microsoft has a long record of breaking web standards in IE and doing funny things like acting like they’ll patent/license/restrict their XML office formats/dtds strangely and maintain them as inferior to the standard binary formats, which rather does miss the point. I don’t know where this is at now, that’s probably not current status of it. And apparently the Kerberos and IPSEC standards both got rather fucked around by Microsoft – though that’s not something I’ve dealt with, just heard second-hand. The ‘Halloween memos’ specifically mentioned trying to remove customer choice, co-opt open standards into similar, incompatible closed ones, and pursue rigid lock-in.

    There are other things, like .net, that seem to point to better openness – there’s a Linux implementation, with people starting to write Linux software in C#! When you get that kind of adoption and when people a) can, and b) see value to, implement the platform and build code within it, as an independent project, that’s a strong vote of confidence. Even if it is sort of like Java.

    Anyway, this comment isn’t meant in a bashing sense – I’m pretty conflicted about Microsoft, but I do appreciate there are a lot of talented people there that try hard to do good things that help people. But there is far too much posturing, manipulation, arrogance, and bullying/coercive tactics that are at the expense (not particularly in a financial sense) of their customers in the side of Microsoft I’ve been seeing.

    Of course, Linux is hardly a panacea. The number of sychophantic twerps that view as a kind of digital faith healing religion that should be worshipped and waved in people’s faces regardless of reason or suitability for a purpose is astronomical – though they don’t actually do much except hang out around slashdot.

    Ultimately, I’d like to see Microsoft lose their control freak thing. I’d like to see everything on truly open platforms and standards, clean interoperability, fluid interaction between different software products by different developers (in general, not just Microsoft). So there are no barriers between different platforms. Make shifts between different providers of a system frictionless. (The web is like this in that you can use whatever server, browser or email client, and are generally free to choose one that well suits your situation without compatibility issues. But not always, of course.). And see people competing on merit rather than marketing.

    This way, if Microsoft really does the best software for a particular purpose, people will use it. And that would be great, I’d be really happy. I’d use it. But if they don’t do the best software, they wouldn’t have any lock-in barriers to mass migrations. That’s not a problem if you have the best software and the playing field is level. But in its full form it requires a relenquishing of control and embracing of risk that I don’t expect to see from Microsoft any time soon, at least in its full form, anyway.

    This sort of fluidity is developing already with emulation of Microsoft protocols (samba etc) and APIs/platforms (wine, mono). But some of that involves masses of reverse engineering and chasing after Microsoft’s home-brew protocols, and is generally against its will rather than with its support. There are other things like the OASIS xml office formats that are in development and have to support of several open source projects – it remains to be seen, but they promise complete fluidity and consistency between implementors of them. I really think that this sort of thing is the right direction for the users and the right direction for companies that truly are committed to high quality software above all else.

    Who knows where everything will go? It’s going to fascinating to see where all the players end up and what using a computer is like in 20 years.

    Sorry, this is a little incoherent. I’d be very interested in your response.