Microsoft: Vista More Secure Than XP and Open Source

Windows Vista was hit by significantly fewer publicly disclosed security flaws in its first year than Windows XP and open source rivals in their first years, according to a report from Microsoft. The report, written by Jeff Jones, a security strategy director in Microsoft's Trustworthy Computing group, is part of Microsoft's effort to show that its work on redesigning the security architecture and adding new security features to Vista have paid off.

Jones also found that changes to the way Microsoft handles patching has resulted in less work for system administrators on Vista compared to Windows XP. The report comes on the heels of figures from Secunia, which reported fewer vulnerabilities for Windows in 2007 compared to open source operating systems in the same time period. However, Microsoft's report compares the way each OS fared in its first full year of supported distribution.

View: The full story @ PCWorld

Report a problem with article
Previous Story

AMD to showcase upcoming Phenom CPUs at CeBIT 2008

Next Story

Apple applies to light up laptop touchpads, iPod clickwheels

22 Comments

Commenting is disabled on this article.

All statistics are skewed how people want to skew them.

I can argue that becuase Microsoft has more secuirty fixes then its more secure... as you could say, on average all new software to begin with has the same number of secuirty flaws (proportional to the lenght of the code).

Then... as OSX I believe contains twice as many lines of code as Vista, then OSX in theory would contain twice as many flaws. That is presuming both companies equally look into security.

Microsoft makes more money than Apple and so in theory can spend more on security so they would iron out more security flaws than Apple on release of a new product.

Also as OSX has a much smaller user base it will "find" a proportionally equally small number of flaws.


I have no idea where anyone comes up with this bo****ks about certain pieces of software being more secure than others.

It would be like me using 100 people and finding 10 needles in a hay stack. A haystack that had been cleared by 10 people before the 100 people looked.

Then comparing it to... 5 people and finiding 1 needle in a hay stack. A haystack that had been cleared by 3 people before the 5 people looked.

Its so complex to compare as you have to start looking at other facts such as people will look at the same parts perhaps and also that people are better and finish them etc. etc. There is no good method to date looking at which is the best in security of any of the top products.

This sounds like the typical FUD Microsoft churn out on a regular basis. Here, it seems they are desperate to see a spike in Vista sales.

The fact is, the NSA find Open Source a better model for security, as you can see in their own distro SELinux: "Linux was chosen as the platform for this work because its growing success and open development environment provided an opportunity to demonstrate that this functionality can be successful in a mainstream operating system and, at the same time, contribute to the security of a widely used system."

It's frankly impossible to imagine a day in which the NSA start using Windows as their OS of choice for critical spying and monitoring systems, and that is saying something.

Not sure MS are that desperate to see a spike in Vista sales with last quarters revenue being the highest ever.

Windows seems secure enough for the London Stock Exchange, British Navy Submaries, Accenture, BAE Systems Dubai Islamic Bank, Alliance & Leicester (including online banking), Boeing, Israeli Navy, Scandinavian Airlines, Virgin Megastores, HDFC Stock Brokers and hundreds of thousands more.

If Linux is the right choice for the NSA then that's fine. Linux is the right choice for various projects I undertake - but simply stating that one platform is more secure than another just becuase the NSA uses one over another proves nothing.

And as a British reader of Neowin, I have so little faith in the US Government's intellegence of late I take what platform they use to gather intellegence with a pinch of salt anyway.

Um, if it's so easy to find holes in OSS, you have to wonder why there are so many holes discovered after release. OSS has beta phases, so why aren't the holes discovered then before general public release?

Not saying any OS is more secure than any other, but 7.04 of Ubuntu half way through it's '6 month lifecycle' had over 100 patches that needed to be applied. That's on par with WinXP SP2 which was out years ago.

And don't forget people that Vista includes a browser, media player, web server, mail client and various other apps (calender, address book, sidebar/gadgets, fax/scan apps, sharing/collaboration tools, image editor etc)
Whilst it doesn't include Office, it does include a lot which is sometimes included with OSS distro's too. With IE7, WMP and IIS on one box and with their reputation and the market penetration, it's harder and harder to state that Windows is a poorly secured platform compared to the rest of the market.

Yeah, whatever. Same PR again. No amount of PR will change the facts. Hasn't Bush taught you anything? PR only goes so far, at some point you've got to deliver.

I would say the Windows code base has hundreds if not thousands of flaws which are hidden due to the closed source nature of the software. However, you can download the Linux sources freely and find a flaw much easier with that level of access.

(ivanz said @ #9)
I would say the Windows code base has hundreds if not thousands of flaws which are hidden due to the closed source nature of the software. However, you can download the Linux sources freely and find a flaw much easier with that level of access.

If it's so easy then find one. Find a bug in Linux code and show me.
Also Windows source is available. But only to smart people who really need it.

Question: When did Microsoft ever say their OS wasn't more secure than the last version of Windows or Open Source (or for that matter OSX?)?

Windows Vista was hit by significantly fewer publicly disclosed security flaws

Oh, so they do the count by checking how many flaws MS discloses publicly. Not by how many flaws exist, are found by 3rd parties we don't know about (and why would a botnet op disclose how they did it and let anyone else get the cash or close the holes?).... you know, this isn't exactly a scientific proof...

I think they've used that exact same title for the story for each OS they've ever done, haven't they?

I'm thinking also, it's SUPPOSED to work that way, isn't it? Duh!!

Unfortunately,
Vista fits right in under Windows Me, for all around crap OS, IMO.

Not the ME comparison (again). I will admit that the media applications they included sort of resemble WinME. The problem is that is where the comparison stops. The truth is all versions of Windows that ran are the 9x kernel were pretty awful (yes, even Windows 95 and sure as hell Windows 98, why do you think they had SE, which also sucked). Back in the day, I used to use Windows 95 as a partition to run games (and Windows NT 4.0 for everything else). When Win2k came out, I moved over to it as a full time operating system and have never looked back (at least not for Windows).

"Windows Vista was hit by significantly fewer publicly disclosed security flaws in its first year than Windows XP and open source rivals in their first years"

This should come as a surprise to no one since Vista is XP's successor and, as far as Open Source, just add it to the "Get The Facts" campaign.

Vista is so secure, its had MAJOR kernal problems throughout the years, so counting that I would say Vista with no SPs has to be the weakest OS out so far, shellcode and run any application or do anything.

Eh. Vista is easily the most secure version of Windows that's ever been released. Hell, it's built in security features manage to mitigate its own exploits and exploits in 3rd party software from being too big of a deal.

Also, you've spelled kernel with an 'a', which makes me doubt you actually know what a kernel is, or 'shellcode', or anything else, really.

Apples and oranges - take, for example, the SuSE distribution of Linux.

They include tons of extra software such as Open Office or server software that may or may not be enabled by default on your installation but any security flaw in them gets marked as a "minus" for the distribution or Linux in general. Vista ships with practically no productivity applications to speak of - once you start adding Microsofts own software such as the Office suite or other server and application software the "numbers even up".

I could release a nigh inpenetrable Linux distribution that ships with nothing but a browser much like Vista - then I could put out pretty PR releases too. I can smell millions here.

/rant.

No. Read the report, and the methodology used. He excludes non-equivalent packages, so GIMP, OO.o, sendmail, etc. are all not counted against Linux.

If I recall, in the past, Mr. Jeff Jones had done a "sum total" count on Linux, and got royally criticized for a shoddy analysis. He actually does take time to level the comparison. However, as I pointed out earlier, he glosses over the "unpatched" flaws. Primarily beating the "look at the numbers" drum.

It is just one aspect of security that must be considered. The time-to-patch, severity and so forth are not compared at all in this report.

Windows Vista was hit by significantly fewer publicly disclosed security flaws in its first year than Windows XP and open source rivals in their first years, according to a report from Microsoft.

It is not really the first year. It may be the first year as being branded Vista, but the most of Vista is derived from other products. Vista, like OSX, was not coded from scratch. I also don't like "publicly disclosed" as a qualifier. Also, are they comparing just the OS, or are they also lumping in shipped software. Bottom like, these are not facts but marketing.

I don't think "publicly disclosed" is exactly fair, either... But what else can they do? Yes, Jeff Jones has access to Microsoft's stash of private flaws not yet patched. He could include those. But how is he going to include the private ones on the Linux Kernel Mailing list? Or Apple? Or Mozilla?

(markjensen said @ #3.1)
I don't think "publicly disclosed" is exactly fair, either... But what else can they do? Yes, Jeff Jones has access to Microsoft's stash of private flaws not yet patched. He could include those. But how is he going to include the private ones on the Linux Kernel Mailing list? Or Apple? Or Mozilla?

The "publicly disclosed" caught my eye too. One of the greater strengths of open source is that it is difficult to hide flaws. Everyone knows that MS is notorious for withholding information about security holes... they have their legitimate reasons, but that doesn't mean we have to like it.

Actually, I am looking through the report now. It seems that his own report shows (on page 17) that UbuntuLTS is the one with less open holes. Funny, though, he never really talks about that aspect much. Just the number of patches that fix issues.