News

Aberdeen Report Points Out Open Source Vulnerabilities

Analysts at Aberdeen Group say the evidence of the last 10 months shows that the popular wisdom about Microsoft security -- that it's the worst -- may be outdated.

"Obviously, the label of poster child for security glitches moved from Microsoft to the shoulders of open source and Linux product suppliers during 2002," analysts Jim Hurley and Eric Hemmendinger wrote in an Aberdeen Group "Perspective" piece published earlier this month. "Open source software, commonly used in many versions of Linux, Unix, and network routing equipment, is now the major source of elevated security vulnerabilities for IT buyers."

The evidence for Aberdeen's unorthodox position? The security advisories put out during the first 10 months of 2002 by CERT, the Computer Emergency Response Team. Analyzing the small sample of advisories issued by Cert (www.cert.org), Aberdeen gleaned several interesting trends.

  • Out of 29 total Cert advisories in 2002, 16 affected Linux. Similarly, 16 affected Unix, Aberdeen noted. Only seven affected Microsoft products.
  • Virus and trojan horse advisories affecting Microsoft products plummeted from six last year to zero in the first 10 months of this year.
  • Advisories affecting network equipment went from two in 2001 to six in the first 10 months of 2002.

    Aberdeen concludes that "Microsoft overhauled its entire software development process to fix its security problems, and its effort appears to be working. Perhaps it is time for some of the suppliers of open source and Linux software to take similar measures. But the entire IT industry must come to terms with the new reality of Internet computing as the first step in making forward progress. One of these realities is that no one vendor or supplier is more at fault than any other."

    Microsoft officials spread the word about the Aberdeen report, but they say Microsoft did not fund or sponsor the Aberdeen research.

    Mike Nash, vice president of the security business unit at Microsoft, says the Aberdeen report shows that security is an issue that affects the entire industry, not just Micrsoft.

    "The key thing here is just the observation that security very clearly is an industry issue. It does really clarify sort of where we are as an industry and what needs to get done and where Microsoft needs to be focused. There is a bit of a gap between perception and reality of where Microsoft needs to be," Nash said.

  • About the Author

    Scott Bekker is editor in chief of Redmond Channel Partner magazine.

    Featured

    • Microsoft Offers Support Extensions for Exchange 2016 and 2019

      Microsoft has introduced a paid Extended Security Update (ESU) program for on-premises Exchange Server 2016 and 2019, offering a crucial safety cushion as both versions near their Oct. 14, 2025 end-of-support date.

    • An image of planes flying around a globe

      2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

      Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

    • Notebook

      Microsoft Centers AI, Security and Partner Dogfooding at MCAPS

      Microsoft's second annual MCAPS for Partners event took place Tuesday, delivering a volley of updates and directives for its partners for fiscal 2026.

    • Microsoft Layoffs: AI Is the Obvious Elephant in the Room

      As Microsoft doubles down on an $80 billion bet on AI this fiscal year, its workforce reductions are drawing scrutiny over whether AI's ascent is quietly reshaping its human capital strategy, even as official messaging avoids drawing a direct line.