It really depends on how you define and measure security. A Windows install's attack surface is massive with tons of legacy crap there for backwards compatibility that is very hard to secure properly. Having a TPM and hardware attestation can only get you so far.
A random Linux distribution can be a very minimal one, and can have sandboxing too, which is what I presume what you equate to security.
I define security by actually taking the steps to make it happen.
Linux sandboxing isn't on the same level as Windows 11 Professional, as it doesn't do user space drivers for most stuff, runs drivers in their own sandbox and has critical kernel components running on their own sandbox.
All coupled with hardware attestation zones via TPM, SGX and now Pluton.
> Linux sandboxing isn't on the same level as Windows 11 Professional, as it doesn't do user space drivers for most stuff, runs drivers in their own sandbox and has critical kernel components running on their own sandbox.
Nothing except the last part you said about Windows 11 is true. And the only "critical kernel component" which as of today by default runs on its own sandbox is the protected media path, aka DRM. Anything that could even be remotely interesting is not available on the Pro edition.
It's funny that there are two people in this comment thread praising Windows' security, and both are aggressively antagonistic for no reason.
Considering Microsoft's general security posture (e.g. check the number of critical cross-tenant and trivial to exploit security issues in Azure - which is unique among cloud providers in their number, criticality and triviality), I wouldn't trust them in the slightest. I know Azure and Windows are different business units, but if nobody in Azure cares about reliability or security, as is obviously the case, I severely doubt that's an organisation that puts emphasis on either.
Also in recent times the biggest DDoS attacks are done by Linux-based botnets. Typically the botnet operators use SSH brute forcing to infect everything from IoT devices to big servers.
However Linux is not to blame that it's used in idiotic IoT and server configurations.
That's extremely vague. The CVE database is a spectacularly terrible thing to use to try and assess comparative "security" because there are so so many things social, organizational and cultural that affect whether and how an issue gets discovered, reported (or hushed up), appropriately scored (almost a nonsense in itself), or has interaction with other components taken into account. For instance it is 100% routine to register any buffer overflow as a CVE, even cases which will always be stopped by compiler hardening flags or OS hardening features.
This sort of citation or "research" is not remotely what the CVE database is for.
Then don't put an irrelevant citation if you don't want to play the game.
One is peer reviewed, another isn't, so it's like comparing results from a self-reported against an academically measured study.
The availability of Windows source for partners is nothing compared to how many educated eyes are on the Linux source at a given moment.
Of course none of this matters because the BSDs are more secure than both but they wouldn't pick them over Windows IRL anyways. Why Windows are preferred is a matter of business and not technology. This is a long topic and if you were in Usenet advocacies you know what it's all about. Support, logistics, number of trained people in the market, certifications, so on and so forth. Linux doesn't have an easy fight there.
