Because of such efforts, Gartner no longer believes that there is any difference as far as security is concerned between Windows Server 2003 and rival operating systems such as Solaris, HP-UX and AIX, Pescatore said. But, he added, the planned launch of Windows Vista later this year will be a key milestone in Microsoft's effort to prove that it has made real progress on improving its security procedures. 'It will be the first desktop OS to ship after they said they are getting serious about security,' Pescatore said.

'Their biggest problem now is trying to get past all of the negative legacy perceptions,' said Hugh McArthur, director of information systems security at Chantilly, Va.-based Online Resources Corp., which offers online banking and bill payment services to the financial industry. McArthur added that he would give Microsoft 'an A for effort and a B+ for execution' on security issues.

Executives at Oracle and Cisco defended their companies' security approaches.

Oracle's vulnerability remediation and response strategies are very customer-focused, said Duncan Harris, the company's senior director of security assurance. He said Oracle's decision to move to a quarterly update schedule last January was based on feedback from database administrators, who said they would prefer a longer gap between updates.

Similarly, Oracle's decision to limit the amount of vulnerability information it discloses is driven solely by the interests of users, Harris said. 'Our advisories are for our customers' benefits,' he said. 'They are not for the benefit of the security community.' Harris claimed that more complete disclosures of the sort issued by Microsoft only increase the security risks faced by users.