Vista Has Fewest Vulnerabilities at 6-Month Mark
Microsoft claims that Windows Vista has proven exceptionally secure so far.
Windows Vista, in its first half-year of life, has proven to be an
exceptionally secure operating system — much more secure, in fact, than
competing desktop OSes, according to Microsoft.
vulnerability report" released Thursday by Microsoft shows that,
compared to the first six months following the release of Windows XP,
from various Linux distributions, and even Mac OS X 10.4, that Vista is
hands-down winner for fewest security holes.
The report was written by Jeff Jones, a Security Strategy Director
Microsoft's Trustworthy Computing group. He noted that for Vista's first
months (it was released to business Nov. 30, 2006), a total of 12
vulnerabilities affected Vista. Microsoft rated five of those
vulnerabilities "Critical," six as "Important," and one did not have a
Another organization, The National Institute of Standards (NIST) in
National Vulnerability Database (NVD), had a slightly different rating
the flaws. It rated 10 of the issues as High severity, one as Medium and
Jones compared those figures with the vulnerabilities in the first
months for the following OSes: Windows XP, Red Hat Enterprise Linux 4
Ubuntu 6.06 LTS Desktop, Novell SUSE Linux Enterprise Desktop 10 and Mac
X 10.4 (Tiger). Jones said he picked those particular Linux
because they were either very popular (Red Hat and Novell), or an
up-and-comer (Ubuntu, which Dell ships as the default distro on its
Windows XP, which shipped on Oct. 25, 2001, had 36 vulnerabilities
in the first six months, including 23 that the NIST rated as High
Thus, XP had three times the number of security holes as Vista.
But XP still fared much better than the Linux OSes. Jones compared
to two different types of each Linux distribution: a full install with
components, and a "stripped-down" version with only those components
make it comparable to Vista functionality. Linux, unlike Microsoft
OSes, allow piecemeal installation of components.
During the first six months following the release of Red Hat
Linux 4 WS, Red Hat fixed 214 vulnerabilities in the "reduced" version
used for comparison, including 62 that the NIST rated as High
Novell's SUSE Linux Enterprise Desktop 10 fared better, with 123
in the reduced functionality version fixed by Novell, including 44 rated
High severity by the NIST.
Ubuntu Linux came in squarely in the middle of the Linux group.
the first 6 months, Ubuntu fixed 145 vulnerabilities affecting Ubuntu
LTS. 47 of those fixed were rated High severity in the NVD," Jones
Even Apple, which makes a big show of its security superiority over
Windows, fared worse, according to Jones' statistics. He reported that
the first six months of its release, Mac OS X had 60 holes fixed, 18 of
which the NIST rated as High severity.
Jones' conclusion after looking at the data? "In all four cases
for the 6 month period after ship, Windows Vista appears to have a lower
vulnerability fix and disclosure rate than the other products analyzed,
including the reduced Linux installations. This affirms the early
that we found after 90 days and provides a supporting indicator that the
Microsoft Security Development Lifecycle process and heightened focus on
security is having a positive impact on Microsoft Windows in terms of
Not everyone is as convinced, however. Michael Cherry, of
analyst company Directions on Microsoft, cautioned not to read too much
the figures. "It's meaningless," he said. "I don't understand this
with the number, as if that's a meaningful metric."
Cherry said that the past doesn't necessarily correlate with the
"As of today, they've looked at six months of Vista, but tomorrow they
be hit by a massive vulnerability, so does this have any predictive
Russ Cooper, a senior analyst with security vendor Cybertrust who
writes for 1105 Media, agreed. "Looking at desktop security from this
perspective is useless. The question is whether I'm going to have
compromised malware on my system or not. It's very, very clear that
exist almost exclusively in the Windows world, that attacks happen
exclusively in Windows."
Cherry is also suspicious of the less-than-scientific method of
determining vulnerabilities. "Many problems in operating systems are
reported by users over time. I'm not convinced there's enough eyes
at Vista yet."
That doesn't mean that Cherry thinks Vista is insecure, or that
Microsoft doesn't take security seriously. "Do I think Microsoft is
better job with security? Absolutely. Are they getting better all the
Absolutely ... But in this business you don't live and die by how good
you're doing, but the last time you messed up. This just seems to be an
attempt to build Vista momentum."
Cooper said that six months isn't enough time to determine how
Vista is. "We still have very few deployments and Vista-specific
applications, compared to those [apps] that are Vista-compatible. We
have software that uses the new programming model and leverages all
features that are new. For all we know, there's a fundamental flaw in
that hasn't been discovered yet, and won't until more users are working
more programs, Cooper commented.
Cherry shared the assessment that more time is needed. "We're
about an OS that, in essence, has a 10-year life (five years of
support, and five years of extended support). After six months, you're
trying to draw a trend line. In a year, you might have enough data to
to think about how it's doing."
In the meantime, Cherry said, "They're doing what we're expecting them
do. It doesn't warrant our holding a parade on their behalf."
Keith Ward is the editor in chief of Virtualization & Cloud Review. Follow him on Twitter @VirtReviewKeith.