Red Hat Enterprise Linux ES 3 has more high-severity risks than Windows Server 2003, and users are exposed to them for a longer period, according to a report released Tuesday.
A draft of the report was released last month and quickly attracted controversy for its methodology as well as allegations of ties between Microsoft and its researchers.
The full report confirms that Microsoft funded the study, and is sure to prompt further accusations of bias. But the researchers are providing the full methodology and challenging other security experts to test the legitimacy of their results.
Richard Ford, a research professor in the computer sciences department at the Florida Institute of Technology's College of Engineering, and Herbert Thompson, director of research and training at Security Innovation, a security technology provider, conducted the study. They used the ICAT Metabase, a database of vulnerabilities from the National Institute of Standards and Technology to measure the severity of the various vulnerabilities identified over the course of 2004. The report also tabulated the "days of risk" from the time vulnerabilities were publicly identified to the time they were fixed.
The report drew criticism from Red Hat. The head of the company's Security Response Team, Mark Cox, said on his blog,"Red Hat was not given an opportunity to examine the 'Role Comparison Report' or its data in advance of publication and we believe there to be inaccuracies in the published 'days of risk' metrics. These metrics are significantly different from our own findings based on data sets made publicly available by our Security Response Team."