In the test, all four computers were connected to the Internet just as they came, out of the box, with the exception of Windows XP SP2, which was allowed to "automatically" install the latest Microsoft security patches. None of the other systems had any patches installed at all. Reportedly the computes sustained 46,255 scans during week-long test. Out of those scans, only a handful of dedicated attacks ocurred: eight for Linux, three for Mac OS X, and sixteen for Windows XP SP2. SP1 died almost immediately, ultimately becoming a remotely-controlled "bot" system doing the bidding of some hacker overlord.

My first reaction to this test is to cry "unfair!" Why was SP2 patched during the test, while Linux and OS X were not? In my opinion, StillSecure's test protocol is hardly cricket. My own tests of SP2 show that when unpatched it falls to infection within an hour. StillSecure seems to have sweetened its honeypot in SP2's favor.

StillSecure reportedly permitted SP2 its patches because it can install them automatically, but that only happens if the user elects automatic updates, and many don't. Mac OS X also has the option to automatically apply patches, and you can purchase Linux distributions with the same feature. All three prompt the user let patches download and install automatically.

Beyond the obvious problem of its test bias, StillSecure's reported results obscures a fact that may be too subtle for non-expert users: a Windows system (or any other,for that matter) can become infected in the time it takes for patches to be downloaded and installed. I've seen it happen many times, leading to my recommendation for the SwatBox to protect a Windows computer during the vulnerable update process (see my December 2004 column at E-ProMag.com).

Unfortunately, a huge number of home- and small-office Windows users connect to the Internet with no firewall protection, and also bypass automatic updates. That Windows XP SP2 still ships in a vulnerable configuration for these users is a huge failure on Microsoft's part. I'm glad that Microsoft is beefing up security, but I'm not happy to see security professionals gilding the lilly.