Windows Vista One Year Vulnerability Report

"But I think this table says it all." Not really. Many many people have explained why number of disclosed vulnerabilities is not some kind of magic indicator of how vulnerable a platform is. Paul presumably knows about these arguments - but as is often the case he just ignores the strong arguments that run counter to his beliefs.

Seems like the Mac figure of 116 fixed should be in green. Vista nor XP has done a good job fixing the rest of their vulnerabilities. They have only fixed 36 and 65 respectively? What about the hundreds of others they haven't addressed?

cesjr, It still assists in the respect that it may have shown Microsoft was able to reduce the number of security holes in their products before release, vs. XP which was, by many accounts, a massive security hell hole from the beginning. Does it prove that it's more secure? Not necessarily, but it could show that Microsoft has improved their programming and have avoided a number of mistakes they've made in past Windows editions. Still, the other side of the coin could be that Linux is an ever continuing project and they are always bound to find security exploits due to the developer base and the open format of the whole system to anyone who wants it.

"cesjr, It still assists in the respect that it may have shown Microsoft was able to reduce the number of security holes in their products before release, vs. XP which was, by many accounts, a massive security hell hole from the beginning." it's pretty much PR data. MS holds it out as being proof that windows is more secure. I think it's OK for reputable, objective journalists to point to it, as long as you at least mention all of the qualifiers about it (eg. windows is less open than linux or the open-source software in OS X, so of course there's fewer reported vulernabilities, etc.).

"so of course there's fewer reported vulnerabilities" I don't get the connection. In fact, I would argue the opposite. Since Windows has such a high install base, it would make sense that MORE vulnerabilities would be reported. That and the fact that many love to hate MS, giving them a personal incentive to find these, and of course, exploit them when possible (for profit of course). And certainly, if you look at the history of Windows, particularly XP, this certainly rings true.

Where is the list of actual successful attacks? No one ever has this info. Vista is just so good that I just got this email from my Dell rep..... from: xxxxxx@Dell.com Date: April 17, 2008 1:01:44 PM CDT To: xxxxxxx Subject: DELL - UPDATE about Windows XP Pro going away on June 30, 2008 Dell Customer Number 3xxxxxxx Dear xxxxx, Due to the negative feedback that we received from our customers’ about Windows XP Pro (OEM version) going away after June 30th, 2008 we have decided to continue offering Windows XP Pro on our systems. In order to comply with Microsoft’s licensing rules we must sell you a Windows Vista Business license (after June 30th) but you will have to option to downgrade the system to Windows XP Pro (OEM version) at the time of purchase. Basically, the only change after June 30th is that we will have to sell you a Vista Business license (per Microsoft’s licensing rules). Otherwise, you will get to specify if you would like Vista Business or Windows XP Pro loaded from the factory. Installation CD’s for both Vista Business and Windows XP Pro will be provided for those customers who opt to downgrade to Windows XP Pro at the time of purchase. To view Microsoft’s licensing roadmap please click on the link below: http://www.microsoft.com/windows/lifecycle/default.mspx If you have any questions about this please call me at (512) 724-xxxx or email me at xxxxx@dell.com . Below are the current promotions that we are running for the month of April.

"Where's a comparison to Leopard, Mac OS 10.5?" Since this is in regards to first year vulnerabilities, then we need to wait for 10.5 to pass the one year mark of availability.

@Spidubic, I agree Windows is more of a target for two reasons. Market share for one. Two, bad security practices for so long, like running as an Admin, and having NO password at all. I have seen so many XP home PC's that have user accounts and no passwords, which is the default install. Hacking is way, way, way more about getting your information to exploit it these days than its about hacker fame. Lots of exploits coming out of Russia and Asia to steal your SSN number, or other items that allow a hacker to get credit cards and such under your info. Windows is a FAT target. If your writing an exploit that is intended to earn you profit, you are going to target the fattest, most insecure OS. That would be Home users on XP. Vista is more secure out of the box, and so is OS X. Both are much smaller targets than XP. Why spend your resources on smaller, hard to exploit targets.

"What about the hundreds of others they haven't addressed?" All listed platforms have items that they have not addressed so we are not looking at that "The reason there are fewer exploits on Macs is because fewer people bother." Yep and you can tell this by looking that apples history. Now that they have a little more share they have more vulnerabilities (more hackers that target the platform). If you would put all the hackers that target windows and they now target mac i don't think that mac users can say they will be safe. Mac users feel safe and so they don't usually protect their computers with antivirus or run the updates as often as pc users do. Heck you have to install your updates manually. So i'll feel sorry for them if they ever become a target.

We bought new computers with the XP downgrade license. When all the old software gets updated, we will switch them to Vista. Back on topic. there are millions of Macs, in one of the wealthy countries in the world, the USA. Getting a few hundred or few thousand to give up personal info would be a windfall of cash. If it were easier, and Macboi's don't protect themselves, what hacker wouldn't want to hack a Mac? Let's face it, it just doesn't happen.

I think this report does speak for itself. Microsoft is making strides and this is not some PR offensive. Many independent studies are verifying that Vista is much more secure and that both OS-X and Linux OSes are lagging behind. Reports like these and improvements such as SP1 will turn sentiment towards Vista. This is a nice little victory for Microsoft. They can loudly and proudly tout they have at this moment in time, the most secure operating system on the market. The facts speak for themselves. Finally, the cloud of Vista Haters is being shattered by its own performance and improvements? So the question becomes, do you really want to run out there and download Linux distros? Do you really want to buy Mac's when they have issues with Zero Day and vunerability patching?

But as you say, it's all uneducated nonsense, eventually even the dumbest bloggers will release what an improvement Vista is over XP and we will enter an 'era of Vista', with stable and secure computing for the masses. I've used Vista for about a year now, and it's given me 99.99% uptime, no malware though I am a prolific surfer with IE7, and very few program incompatibilities with none in like the last 8 months. Vista needs time to show it's true greatness, then people will love it like XP but better.

"Those I think can be moved to a new PC unlike CAL's that come with a PC." don't confuse CAL's with licenses. CAL's are client access licenses for PC's to connect to a server domain. they are not licenses for the operating system that's installed on that client workstation. CAL's are completely different and separate. i believe you are correct though, but I don't deal much in enterprise agreements. I'm pretty sure that transferability in Open License requires SA though. Open Value includes SA, and so is transferability. Open Value is mostly just Open License + SA, but it costs a trivial amount more, and offers more benefits. Remember that for Open License and Open Value, those licenses are upgrade licenses only though, so you need to have a prior full license in order to qualify. Buying software with the computer via OEM licensing is the cheapest way to buy software, and you can add SA to an OEM license in order to add said transferability, so that's a good way to stay current, and have a good ROI. You would never need to buy a replacement license to upgrade your systems - just keep renewing SA over your technology lifecycles and move those aging OEM licenses to new machines as the need arises. Oh, and SA also includes those free upgrades....not to mention training, deployment tools, IT help, a direct support contract with Microsoft, and home-use licenses too.... "Those companies will continue to use XP for as long as they like, or 2014 when critical update support runs out." When free support ends, support costs skyrocket though, so it's often in a business's best interest to move to something that is supported for free - in this case, Windows Vista SP1. The support costs of OEM-provided software also goes up when the original vendor (Microsoft, in this case) also moves into extended support lifecycles.

They even admit what I've said above in the report: "Note that individual metrics can even be mutually exclusive. For example, vendor policy could mandate a single security update per year which would definitely decrease the number of patches to deploy. However, that same policy would almost certainly mean that the exposure time for publicized issues would increase." I bet if they had charted exposure time instead they would have come off worse. The report asks "All other things being equal, is it easier to mediate risk on a system that has 10 vulnerabilities in a year or one that has 100 vulnerabilities in a year?" The thing is, all other things are NOT equal, and if exposure time is different then it is the more relevant metric.

"Stats can mean anything without standardized definable criteria and methodology." You are absolutely right. In this case, the computer industry has no definable standards like you speak for nearly anything. A lot of this has to do with the ever quick changing nature of the industry that makes it difficult to define truly meaningful metrics. Once again, I echo Paul's statements that the report very clearly states that this is in fact only one metric, which just happens to be one that is able to be backed up by real stats, and not hearsay and anecdotal evidence.

"I've used Vista for about a year now, and it's given me 99.99% uptime" That's an interesting comment. Are you really tracking that number, or did you just pull it out of your arse? I'm assuming that you're being hyberbolic, because a 99.99% uptime allows for only 30 seconds of downtime per year. What was happening during your 30 seconds? For more reading: http://www.joelonsoftware.com/items/2008/01/22.html

I remember when 2000 came out and we had the games compatability issue. It took awhile at least to SP1 to fix. I also remember when XP first came out and their were many incompatability issue, game issues, and networking issues. Again it really took up to SP2 to get XP where everyone liked it. I believe since this has been the cycle, the Vista Hate cycle has reached its peak and is slowly starting to slide down. We will reach the "era of Vista" as JamesRayG has stated so elloquently. Just because the idiots at PC Magazine have this anti-Vista campaign and the misconceptions on the street are that its bad, that doesn't always become its permanent label. I remember during the Blaster Worm crisis during the XP era, that people were calling for a new OS. People were saying, migrate over to Apple or Linux. In the end, when the paranoia ended and people started thinking for themselves, they stayed with XP and Microsoft. Don't be surprised when people migrate to Vista and its well praised for its security. Eventually the issues will be resolved and it will be a rock solid OS for the masses.