woo old thread back to life scary... like frankenstein!!!
a lot of those security alerts are "possible exploits." Take these Debian bugs for example:
[21 Sep 2003] DSA-382 ssh - possible remote vulnerability (new revision)
[18 Sep 2003] DSA-386 libmailtools-perl - input validation bug
[17 Sep 2003] DSA-383 ssh-krb5 - possible remote vulnerability
[16 Sep 2003] DSA-382 ssh - possible remote vulnerability
Note the "possibles." With open source or better possibles can be fixed *BEFORE* they are exploited. With non free programs you dont know theres an exploit until some fucking bastard in a tiny country you've never heard of is using it to buy kiddy porn with your credit card, and that bug wont be fixed until the vendor sees a commercial benefit to doing so - think about it, Microsoft is a company, they are interested in money not software. Software is only of use if it gets them money, which is nice to most people but not the be all and end all to those of us with ethics. If an exploit is not popular enough to piss off enough customers why spend money on fixing it? In fact why not just spend that money on a newer Office suite to make *MORE* money, because Windows users will not spend $$$ on a new upgrade cycle for "bug fixes." (well not all of them are that stupid i guess... although i guess windows 98 etc is a point.
) In fact, why not just ban users from even publishing those bugs (whice the new EULAs are covering... you cannot publish benchmarks of .NET code without MS approval.) and have a nice empty exploit report list to give consumers the opinion that you have none?
Also look at the "perl" exploit... ah perl? Unless your running cgis with it that bug is only exploitable to local users - not remotely. With the massive amount of software in say Debian, also note that those exploits arent just "linux" exploits. They also cover MySQL, Apache, sendmail, wu-ftpd etc. How much bigger do you think the MS bug report database would be if they like GNU/Linux vendors covered all the bugs in all the software that most commonly runs on their platform? If Windows like Debian was distribed with 9000+ seperate software packages all "made to work with Windows" by Microsoft how much longer would those MS bug reports be?