<FONT face="Default Sans Serif,Verdana,Arial,Helvetica,sans-serif" size=2>One can ague the minutia about security in Linux and Windows. The hard facts are never going to properly correlate between OSes, never. It comes down to belief in the end. A quick fact can convert those who's belief is weak, but not those who know how useless some facts really are.<br><br>I have a life (however it belongs to my family and a long list of home improvements ;) so I can only provide rough, quickly researched "facts" from documents that were skimmed quickly.<br><br>if you search Kaspersky's virus list (http://www.viruslist.com) for "linux" (and no aliases) you'll see 1,085 matches. If you search for "win32" you'll find 260,295. Linux has 0.42% of the virii of Windows. A Linux enthusiast will spin that differently than a Windows bigot. What does it mean? The numbers are open to interpretation in so many ways.<br><br>The http://cve.mitre.org vulnerability database has Linux with 1382 *reported* vulnerabilities and windows with 1692. Again more interpretation. Should it be prorated by market share? Is that market share of Internet servers, PCs or data center? Are all Windows vulnerabilities reported?<br><br>Here's one for the MS junkies: http://news.softpedia.com/news/Windows-vs-Apple-Mac-OS-X-vs-Red-Hat-Linux-82966.shtml. It says that MS (6 days) is faster than all others (Red Hat: 32 days) in releasing security patches.<br><br>So let's interpret that::<br><br>- Not all MS security flaws are public, but all open source ones are.<br>- That's just for one short time period. How about a longer period? Will MS performance continue or will it wane when industry focus shifts?<br>- Is the delay due to project developers or due to Red Hat for packaging? How about Debian's performance, or Canonical's, or Novell's?<br>- Was this a survey promoted with some back door collusion with Microsoft? (apparently many, perhaps all, analysis reports are carefully selected and released or out-and-out paid for by vendors.)<br>- Should we take the importance of each vulnerability into account? Perhaps urgent ones are addressed more quickly than vulnerabilities that have only theoretical exploits.<br>- What does "released" mean. Released publicly or to a select few? Is it pushed out immediately or does it wait for a "patch day"?<br>- Shouldn't the end-to-end process be more important? Who has the best patch deployment? Which install base is better patched?<br><br>In other words do the "facts" matter? Are they relevant? Are they fair?<br></FONT>