Last week, when I reported about this new Symantec study comparing different operating systems with respect to the vulnerabilities detected in the second half of 2006, I wondered when will the first study come out that includes Vista. I just stumbled across 90 days Vista vulnerability report of Jeff Jones, Microsoft security strategy director. There is an interesting debate going on now in the blogosphere.
- Pip install Boto3 - Thu, Mar 24 2022
- Install Boto3 (AWS SDK for Python) in Visual Studio Code (VS Code) on Windows - Wed, Feb 23 2022
- Automatically mount an NVMe EBS volume in an EC2 Linux instance using fstab - Mon, Feb 21 2022
Of course, such studies where companies compare themselves with competitors are always a suspect. There are so many ways to manipulate objective data in statistics just to get the results you want. (I am currently writing my annual report, so I know what I am talking about.) But the results of this vulnerability report are quite impressive, anyway.
In the first 90 days after its release, Vista had 5 vulns which is not much if you compare it to Windows XP which had 17 in its first 90 days. It is also interesting to compare this data with the vulns of other operating systems during the same period. MAC OS X 10.4 had 20, Ubuntu 71, for example.
There is a hearty discussion going on his blog. One commentator remarked that these results are not so convincing since the installed base of Vista is too small. This also was my first thought. Jeff Jones replied that the install base of Red Hat Enterprise Linux 4 Workstation is much lower than Vista's and RHEL4WS had more than 180 vulns in this period.
Joe Wilcox from Microsoft Watch also has some convincing arguments. He accuses Jeff Jones of having fallen into the "counting trap". Joe Wilcox refers to the data from the Department of Homeland Security National Vulnerability Database. According to them there were another 11 vulns in the past three weeks. And this data is more telling because of Vista's limited availability before March. He adds that one also should include alerts mentioning IE since it is part of the operating system. And there were about two dozen of them, some related to third party ActiveX controls.
The question now is it is reasonable to consider third party software? Well, most Linux distributions mostly consist of "third party software". Does it make sense at all to compare vulnerabilities? Joe Wilcox correctly concludes that "alerts are not a measure of security".
I'd like to add that the number of vulns is only one factor (and a minor one at that) when it comes to security. Many other factors have to be taken into account, too (how often is an OS targeted by the bad guys, malware in the wild, know-how of its users, etc.)
Subscribe to 4sysops newsletter!
However, I think that Joe Wilcox is wrong when he asserts that Vista didn't improve in respect to security. It is obvious that Microsoft invested a lot of money in Vista's security. Thus, it would be a big surprise if all this money was just spent for nothing. Besides, there is no doubt about it that Vista has many new security features. If you argue that Vista didn't improve, then you have to explain why all these new security features are useless.