[schoen]

I don't support anyone hiding source code from users (and have given conference talks about hard-to-detect ways of backdooring binaries), and so I don't mean this to be an excuse for the secrecy of the source code, but every single person I know who's worked in the security industry agrees that Microsoft made a major qualitative improvement in their security at every level, based on spending a lot of money and giving security people power in the development process.

Most people feel Microsoft is managing security better than the main Linux-based operating systems do, in terms of auditing, coding standards, code reviews, and developer security education. (That doesn't mean that they're doing this better than each and every individual open source project.)

Some of the people agitating for giving Microsoft more credit about this have personally seen the results, as in-house or contracted developers or auditors.

It can be hard to make an apples-to-apples comparison about what this means for the security of deployed systems because people are potentially using the systems in different ways with kind of different attack surfaces. (For example, quite a few Windows desktop users may still be downloading unsigned binaries from HTTP sites, which Linux users would be less likely to do because of the prevalence of package managers -- though maybe some of those Linux users will do the curl | sh thing from an HTTP site too.)

I don't think that a typical open source project has improved to the extent that Microsoft has during this timeframe, though, again, it's hard to know exactly what to compare or how to compare it.

[secstate]

That's a really complete argument. But there's still the elephant in the room of the whole operation being closed source, and the inability to do quantitative analysis into the improving security of a closed source system.

People on the inside can say there have been qualitative improvements, but that's not measurable on the outside and so is no better than hearsay and conjecture. Meanwhile in the GNU/Linux world, you can browse the git repositories and see and audit every step in the development process if needed.

Is it possible that typical open source projects didn't NEED to improve their security over the same timeframe, given that the F/OSS world didn't fuck users over for two decades with unfixed 0days?

Meanwhile, the OP here is talking about Word which is likely a world away from the improving security team working on Windows. Hell, I'm surprised they've got more than a skeleton crew working on the desktop version of Word anymore. People in my community 60+ have been using Google Docs for the last five years already.