Found this really intriguing study done at the CSO (The Resource for Security Executives) website. Basically, they took known public vulnerabilities of major operating systems and calculated the time to produce a patch. Here is a quote from the study that explains more:
The first comparison I wanted to look at was to see how the vendors did in general for security response across their Operating System (OS) products. Because many customers that have selected a vendor OS have deployments that may cross multiple versions, this view looks at the average security response time, in terms of DoR, across the supported product set. By vendor, here are the products included:
- Apple: Mac OS X, any version patched in 2006
- Microsoft: Windows 2000 (Professional and Server), and Windows XP, Windows Server 2003. Windows Vista is not included since it was only available for one month in 2006 and had no fixes.
- Red Hat: Red Hat Enterprise Linux 2.1, Red Hat Enterprise Linux 3, and Red Hat Enterprise Linux 4
- Novell: SUSE Linux Enterprise Server 8, SUSE Linux Enterprise Server 9, SUSE Linux Enterprise Server 10, Novell Linux Desktop 9, and SUSE Linux Enterprise Desktop 10
- Sun: Any Solaris version patched in 2006
Now here is the conclusion of the study. Note: I can not speak on the validity of the data—just thought it was interesting…
Days-of-risk in 2006 : Linux, Mac OS X, Solaris and Windows | CSO Blogs.