A new study funded by Microsoft Corp. suggests some web servers running on Windows are more secure than those employing the leading Linux-based solution. Microsoft says the results refute the commonly held belief that Linux offers a more secure environment for web servers.

But Linux supporters argue the study is limited in scope and does not accurately distinguish between "critical" security threats and less serious ones. They also note that Microsoft has a financial stake in curtailing the open-source Linux movement.

Conducted by Security Innovation Inc., the study compares the most recent version of Windows Server 2003 to Red Hat Enterprise Linux 3. Researchers conducting this study reported that in a default security setting as well as in a minimal Linux configuration Microsoft provides a more secure web-server platform than Red Hat Linux.

Security Innovation says the results are scientifically repeatable, and the paper issues an open invitation challenging information technology (IT) professionals to try it for themselves.

By all accounts, Microsoft rules the desktop computer world. Approximately 96 percent of all desktops worldwide run on a Windows operating system (OS). Not so when it comes to web servers.

A web server is a computer that delivers web pages to internet users. Every web server has an internet protocol (IP) address and perhaps a domain name. When you enter an internet address, or Uniform Resource Locator (URL), into your web browser, a request is sent to the web server with that domain name, which in turn delivers the corresponding web page.

Apache--the free, open source, platform-independent web-server software distributed by the Apache Software Foundation--controls upwards of 75 percent of web-server market share throughout the world, according to industry estimates. Many IT professionals claim that open-source software running on a Linux platform with open-source database servers and scripting engines is more flexible, more reliable, and--perhaps most importantly in today's internet environment--more secure.

In the Security Innovation study, researchers ran a number of applications on top of the operating systems to check their ability to secure a web server operation. The team then compared the number of known vulnerabilities for the two, finding 52 for Windows, 174 for a default Red Hat Linux server installation, and 132 for a minimal installation of Red Hat Linux (which uses Apache as its web-server software).

The team also found that Windows outperformed the Linux server software when measuring "days of risk." The days of risk measurement looks at how long it takes a vendor to issue a repair for a vulnerability after its presence has been made public. The report said it took an average of 31.3 days for Microsoft to issue a repair, compared with the default Linux setup at 71.4 days, and 69.6 days for the minimal installation.