RSA: Security Experts Debate Linux Vs. Microsoft (ChannelWeb)

Also Microsoft will silently fix potential exploits without disclosing it. 

A few times they disavowed it, then later on they would admit to it. More then one.

The theory is that the first thing that happens when Microsoft publishes a patch or
information people take that and write a exploit to attack unpatched systems. So by being
secretive about fixes they are actually doing people a favor.

Also open source projects will often release patches for problems that are not exploitable,
but they _could_ be exploitable if a bunch of other bad things happen. That is most problems
that open source projects release as problems are not exploitable. Microsoft will not admit to
those or fixing those. 

And people have proof of this sort of behavior. People have examined patches to Microsoft OSes
and have reverse engineered them to find out what exactly they are doing and what systems they
are patching. One black hat found at least 7 different fixes in a patch that only had one
publicly announced fix.

Also not all of Microsoft's software gets the same amount of treatment. There are many bug
fixes in Windows XP and such that don't make their way into Windows XP POS (point of sale). 

AND on top of this Distributions ship with much much much more software then what is provided
by Microsoft.


If you want to have a vulnerability vs vulnerability comparison you will have to sit down and
go through them one by one and examine things carefully.