
Black Hat: new operating systems security metric

At the Black Hat Security Conference currently taking place in Amsterdam, researchers from the Zurich ETH (Swiss Federal Institute of Technology) have reported a new model for determining the security of operating systems. They don't just count the number of holes and how critical they are, but also determine what they call the zero-day patch rate. This indicates the ability of a vendor to make a patch available on the day a vulnerability becomes known. In order to stay independent of vendor information, they looked at many independent sources including Secunia, Milw0rm, The Open Source Vulnerability Database (OSVDB), National Vulnerability Database (NVD) and CVE.
The researchers come to the further conclusion that the number of Microsoft's open vulnerabilities has now stabilised, whereas the trend is the other way round with Apple. Apple has in fact already overtaken Microsoft, averaging a greater number of open vulnerabilities. The researchers say the results do not support the widespread assumption that Apple computers are naturally more secure. The latest Apple update for Mac OS X eliminated 46 vulnerabilities, 13 of them in the Safari browser alone.

