Microsoft is protesting against last week's report from security experts mi2g Ltd claiming Apple's Mac OS X and certain brands of Unix are less vulnerable to attack than Windows.

The report attributed 44 per cent of software vulnerabilities announced in the first ten months of 2002 to Windows, 19 per cent to Linux and just 1.9 per cent to Mac.

Microsoft vice president of security Mike Nash dismissed the report as "misleading".

"Essentially what mi2g has done is look at a combination of vulnerabilities announced by vendors and new vulnerabilities reported by users," Nash said. "There's no way to determine if the same issue is counted multiple times, or if erroneous vulnerabilities are being reported."

Numbers game Widespread products, such as Microsoft Windows, are bound to have more vulnerabilities reported under such a system regardless of whether those products are less or more secure than the competition, Nash claimed.

Jan Anderson, a member of mi2g's Intelligence Unit, responded: "Our main point is that although only 3 per cent of systems are running Mac OS, the proportion of attacks suffered by these is 60 times less – 0.05 per cent. There are relatively few known vulnerabilities to Mac OS."

mi2g and Microsoft are working together to address the issue of vulnerability counting.

Half mi2g CEO D Matai said removing unconfirmed vulnerability reports from mi2g's numbers doesn't improve the picture for Microsoft.

"Even there, we note that Microsoft doesn't account for 44 per cent of vulnerabilities, it accounts for 54 per cent," Matai said.

Industry analysts are uncertain of the methodology employed by mi2g. "Comparing the number of vulnerabilities to shipments of the software is interesting, but not very useful," said Dan Kusnetzky, vice president of systems software research at IDC.

He added: "The thing to look at that's more important is when problems show up, of any kind, what is the response from the software vendor? How quick is the response? If the response comes six months after a problem was reported, that's not good.

"Breaking into Mac isn't something that gets a hacker kudos in his or her community. Breaking Microsoft gives that person the ego dollars that they depend upon."

Marc Maffre, chief hacking officer of eEye Digital Security, observed: "Microsoft needs to do a better job at being secure. There are too many trivial mistakes you'd think a billion dollar company wouldn't make."