Microsoft claims that Vista has needed fewer security patches than any other recently released desktop OS
Vista 'more secure than OS X and Linux'
/v3-uk/news/1966086/vista-secure-os-x-linux
22 Jun 2007, Tom Sanders in California , V3
Microsoft has boasted in a new study that Windows Vista has needed fewer security patches than any other recently released desktop operating system.
"Windows Vista has an improved security vulnerability profile over its predecessor and a significantly better profile to comparable modern competitive operating systems," stated Jeff Jones, director of the Trustworthy Computing initiative at Microsoft's Security Business Unit.
The Windows Vista 6-month Vulnerability Report (PDF) compared the number of flaws during the 90 days after the application's launch for Windows Vista, Windows XP, Red Hat Enterprise Linux 4 (RHEL4) Workstation, Ubuntu 6.06 LTS, SuSE Linux Enterprise Desktop 10 (SLED10) and Apple Mac OS X. (Also see table on page two)
Vista beat the other operating systems on nearly all fronts, according to the report, logging the fewest fixed vulnerabilities and the fewest repairs with a severity rating of 'high'.
Microsoft's operating system ranked second in the number of unpatched flaws after 90 days, trailing behind only Windows XP.
Apple's OS X ranked third behind the two Windows versions, followed by Ubuntu, SLED10 and RHEL4.
Comparing the number of patched and disclosed vulnerabilities is a controversial method of comparing the security between products. Different operating systems have different features, offering attackers diverse ways to hit the software.
Jones attempted to pre-empt criticism over features by including a tweaked version of the three Linux distributions in his test.
The adapted version had been stripped of bundled applications that are not found in Windows or OS X, such as the OpenOffice productivity suite, as well as graphics and developer tools.
The number of fixes also failed to consider the popularity with attackers and security researchers. Because Windows is the predominant operating system, users run a greater risk of getting hit.
But this has also caused the software to be closely scrutinised by Microsoft and independent security researchers as they attempt to protect their clients.
Researchers, meanwhile, have started to closely track Apple software. This has been sparked by frustration over the firm's arrogant attitude towards outside researchers as well as the refusal by so-called Mac fan boys to acknowledge that Apple software is not bullet-proof.
This has prompted the disclosure of a slew of security flaws in the days after the firm launched its Safari 3 beta for Windows.
Jones's report is bound to receive criticism for his security claims, but he seemed well aware of that risk. In closing the 14-page study, he wrote:
"Jeff actively encourages readers to challenge his assumptions, analysis and conclusions and provide critical feedback – but asks for equal (or better) rigour in methodology and analysis to support the challenges, as opposed to enthusiastic espousal of unsupported evangelistic fervour."
Vulnerabilities in the first 90 days after launch:
|
flaws pre-launch1 |
flaws fixed in first 90 days |
unpatched after 90 days |
|
|
Windows Vista |
0 |
12 (10) |
15 (1) |
|
Windows XP |
3 (0) |
36 (23) |
3 (2) |
|
REL4ws |
129 (40) |
281 (86) |
65 (12) |
|
REL4ws reduced** |
n/a |
214 (62) |
59 (12) |
|
Ubuntu 6.06 LTS |
29 (9) |
145 (47) |
20 (n/a) |
|
Ubuntu 6.06 reduced** |
n/a |
74 (28) |
11 (2) |
|
SLED10 |
23 (5) |
159 (50) |
27 (6) |
|
SLED10 reduced** |
n/a |
123 (44) |
20 (6) |
|
OS X 10.4 |
10 (3) |
60 (18) |
16 (3) |
1: vulnerabilities that were disclosed prior to the software release. In most cases a patch was available, but had to be applied by the user after installation
* high severity rating assigned by the National Vulnerabilitiy Database of the National Institute of Standards and Technology
** Distribution tweaked to mimick the functionality of Windows by stripping bundled components such as OpenOffice and development tools
© Incisive Media Investments Limited 2010, Published by Incisive Financial Publishing Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, are companies registered in England and Wales with company registration numbers 04252091 & 04252093
Do you agree?
Hmmm, it is maybe that their TCI made the effort
But for the most part, it is seldom to see a windows update box. But when I log into my Ubuntu box, it will get updates to applications installed, including security updates from time to time.
This is a real-word evidence.
Posted by allan, 22 Jun 2007
BS
Ok, apparently the guy who is being quoted works for MS. It is like a pimp telling someone he is not a prostitute and all of his girls are free of disease.
Posted by Greg Orlowsky, 22 Jun 2007
HA
ya i choose not to click a box like every 10 seconds saying allow or deny or ok or cancel or whatever those annoying security messages say. yeah anything can be secure if you ask you use the user to secure it.
Posted by netro, 22 Jun 2007
everything comes back to bite you in the ass
Id like to hear MS explanation to the fact that alot of the really critical flaws found in VIsta, have been fixed in XP years ago. That would be interesting to hear considering they have said it's the safest windows they have ever developed. Maybe Vista is all smoke and mirrors and a must sell to survive going forward.. I personally like Vista due to DX10 but i cannot see why its not a free upgrade to XP. People have been very patient ( 5years since release) with XP security and bugs, one would think MS could do something for their customer other then raising prices for a service pack... VISTA is a echo system reviver needing still more power from your PC and not to mention a costly Software upgrade.
Posted by billG, 22 Jun 2007
good job
good article. every mac fanboy needs to see this.
Posted by brian, 22 Jun 2007
Better methodology
Let's choose the methodology that really matters - what percentage of computers with each OS are infected with malware? This measure factors in all the relevant factors (inherent security, speed that patches are available, speed that patches are actually applied, amount of malware in circulation and so on).
Last time I checked, the percentage of OS X boxes which are infected is infinitesimally small. Linux would also have a very small percentage. Windows, OTOH has something like 70% of computers infected from the most recent report I read.
How about that, Microsoft?
Posted by Joe Anonymous, 22 Jun 2007
More secure, but...
Vista is a considerable improvement over XP, but the reasoning of this paper is flawed. The number of patches is the creteria to gauge how secure an OS is? How about actual breaches? I could just as easily say that the OS with the most patches is the most secure and not the other way around.
Posted by Carlos, 22 Jun 2007
Trustwothy?????
"....Trustworthy Computing initiative at Microsoft's Security Business Unit"
Trushtworthy, Microsoft and Security in the same sentence! Is there such a thing as a double oxymoron?
Posted by William, 23 Jun 2007
I wonder why?
Hmm Maybe because nobody uses it, therefor no users = no bugs
Posted by Brian F, 23 Jun 2007
OSX is ~25x more secure than Vista
Anyone can spin-doctor selected facts. With MS, they control how many discrete "fixes" go inside each of one of their patches, so by counting "patches" instead of "fixes", they're stacking the deck.
The only real measure here is actual in-the-wild exploits. The score there is VISTA 1, OSX 0. When you then normalize this by exposure duration (months vs years), you see that OSX is demonstrably far more secure.
Regardless of what people with a self-serving interest might *claim*.
-hh
Posted by -hh, 23 Jun 2007
"Enthusiastic espousal of unsupported evangelistic fervour"
That (see comment title) is exactly all that the (ignorant) users who commented this article before me have as (weak) argument against the fact that Vista is the most secure OS today, which (for the retards) is different from being the safest to use (and there are no arguments against facts, sorry).
Posted by Filipe, 26 Jun 2007
Puh
That's just bullshit. Windows sucks. Everything MS has made sucks
Linux <3
Posted by http://www.andersmoen.com, 15 Jul 2007
Possible --> yeah likely!
It's possible that this is true. It's unlikely, knowing what a load of tripe comes out of Steve "I'm gonna f#(&ing kill Google" Ballmer's friends' mouths, especially when they want to keep their costs down.
Anyway, just take into consideration that it is in fact true. How long did it take them to finally get one-up on Linux? How long did it take considering the frillions of pesos this company rips off of its customers, providing them with a system that maybe for once works.
Consider that Stevie babee, when Linux jumps out at you tomorrow with the truth on the table illustrating the load of Bull-crap found in this article. What's more Stevie is that Linux still costs ... zip for me to do what I want to do with it. So why would I care?
Posted by Rex Alfie Lee, 19 Sep 2007
Hearing them say this ...
I hope no one's going to accuse me of fanboyism. But I think we can all agree that, given Microsoft's track record, something definitely smells fishy about these numbers.
One: They're basically talking about the number of security holes identified and fixed. Doesn't that mean the other OSes are _more_, not less, secure?
Two: What are their numbers for people who got fed up with UAC, and either turned it off or just click "OK" every time it pops up?
Posted by Jared Spurbeck, 15 Nov 2007