I can't easily count the number of times I've been told that Linux is more secure than Windows. It happens so often that it has almost become "true" because so many people believe it. It's basically common knowledge at this point.

But what is this assertion based on? I suspect a lot of it is based on a combination of two things.

First is that Microsoft security gaffs get a lot of attention and rightfully so. Windows is used by 90%+ of all desktop users. Windows Servers run the majority of the Fortune 100. If there is a security problem with these products, people should know about it. Not to mention the fact that if there is a bug in software that 90% of people run, it has a very good chance of hurting a very large number of people.

Combine this with the widespread ABM (Anything But Microsoft) attitudes and you have a recipe for a seemingly endless stream of media stories about security holes in Microsoft products.

Second is that, on the flip side, you hear almost nothing about Linux vulnerabilities. Linux advocates constantly crow about how secure their OS is, and how you would have to be a fool to run the Swiss cheese that is Windows. Even when there is a security hole reported by the media, the stories almost always end with "but the hole was fixed in a patch released this morning".

But what's the real deal here? How do you quantify how secure a piece of software is? I would say that the only even remotely valid way of quantifying security is by counting the number of known vulnerabilities while taking into account how long users were exposed before patches were available.

As it turns out, at least when you're comparing Windows XP SP2 with Redhat Desktop Linux, Linux has quite a few more vulnerabilities than Windows, and, in general, users are actually exposed for a longer amount of time than for their Windows counterparts.

I know what many of those Linux advocates out there are saying right now. "But wait! Linux is open source! That means anybody can look at the code, and that means that more bugs will be discovered. Windows is closed source, so vulnerabilities hide out in that code until bad guys find them."

That may be true. Windows may have more vulnerabilities in the code, but there are several problems with concluding that Linux (and open source software in general) is therefore more secure.

• Just because something might be true, doesn't mean it is. Yes, it might be true that Windows has more buggy code. But there is no way to prove this other than by looking at the numbers. The only numbers we have are the ones regarding known vulnerabilities. Making conclusions based off a completely unproven (and probably improvable) assumption is foolish.
  
  
• Unknown vulnerabilities don't hurt anybody. If nobody ever finds that vulnerability, it's just as good as if it never existed in the first place. I know some coding purists out there are getting all mad right now, but it's a simple fact and you have to accept it. Security through obscurity does work if it stays obscure. Since fewer vulnerabilities are known for Windows, this likely means that Windows is more secure.
  
  
• Vulnerabilities can hide out in open source code as well. When there are hundreds of thousands or millions of lines of code, bugs don't exactly jump out at you. While there have been some iffy studies done on the quality of open source vs closed source code and how open source tends to have fewer bugs per line of code, the "Many Eyes" theory of open source security has never had any real numbers to back it up.
  
  
• It's an assumption that more people actually look at the source code when it's open. It's also an assumption that more eyes will result in more discovered vulnerabilities. In fact, many types of security issues require highly trained eyes to be detected. The kinds of eyes that companies like Microsoft employee many of and that are paid to look at the code day after day.
  

Now, again, I know what many Linux advocates are saying to this argument. They're saying something like "But you have no idea who knows about all those publicly unknown vulnerabilities. There could be bad guys using undisclosed exploits against Windows machines all over the planet right now!"

Again, that's true. But, again, there is basically no data to support that assertion. If you can find some data that suggests that Windows falls victim to a greater number of exploits that were previously unknown to the public than Linux (and you adjust for the far greater usage of Windows over Linux when considering those numbers), then you'll have a point. But until then, you got nothing.

One last point I'd like to make is that there is a difference between how dangerous a piece of software is, and how insecure a piece of software is.

If I'm using "Bob's Awesome Web Server" (BAWS), and BAWS has 300 vulnerabilities it might still be less dangerous to use than Apache or IIS. Why? Because I'm the only one using BAWS. Very few bad guys are going to take the time to write exploits for BAWS if basically nobody uses it.

This is one reason why I currently use Firefox. I don't really think that Firefox is more secure than IE. In fact, I'll take an educated guess and say there are likely more holes (many of which are yet to be discovered) in Firefox than there are in IE. (That's a guess, not an assertion. I can't prove it's true, and it really doesn't matter in the context of the point I'm making.) But Firefox is a lot less dangerous to use at this point. Why? Because IE has 90%+ market share, and Firefox has less than 7%. The bad guys are still spending most of their time hacking IE.