Windows Vista One Year Vulnerability Report

Windows Vista shipped to business customers on the last day of November 2006, so the end of November 2007 marks the one year anniversary for supported production use of the product. This paper analyzes the vulnerability disclosures and security updates for the first year of Windows Vista and looks at it in the context of its predecessor, Windows XP, along with other modern workstation operating systems Red Hat, Ubuntu and Apple products. The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.

Note that this report is an update to the previously published Windows Vista 90-Day Vulnerability Report and Windows Vista 6-Month Vulnerability Report. However, since one year is a more informative time frame, this report contains the results of a deeper level of analysis.

Here are a few highlights :

Metric

Windows Vista (year 1)

Windows XP (year 1)

Vulnerabilities fixed

36

65

Security Updates

17

30

Patch Events

9

26

Weeks with at least 1 Patch Event

9

25


View: The Report (.PDF reader required)

Report a problem with article
Previous Story

Analysts Claim Improved Reliability for Linux Servers

Next Story

Microsoft Connect Website Updated

18 Comments

Commenting is disabled on this article.

I'm sure there's going to be a few zealots in denial, readying their trigger fingers, screaming: "Cite sources! Those statistics are FUD! PROVE IT!"

(Screaming Slave said @ #6)
I'm sure there's going to be a few zealots in denial, readying their trigger fingers, screaming: "Cite sources! Those statistics are FUD! PROVE IT!"

Of course, and they won't believe the statistics when you produce them.

These statistics are just statistics.

Finding and patching fewers bugs can mean both ways:
1. There really are less bugs and vulnerabilities.
2. The programmers aren't doing their jobs.

A more accurate report on security would be to measure the number of successful break-ins relative to the total number of connections.

I agree, considering the volume Vista machines compared to others and the hackers wanting break anything MS I think they done good job.

End of day why spend time hacking the minority.

If overnight all MS OS machines replaced with Linux or OS X we would have security melt down.

(stevember said @ #3.1)
But your comment kind off confuses me. Sorry.

Merely exaggerating on the file transfer/copy issue. It seems like one of the more basic operations in computing and somehow it was all screwed up. After sitting through that a few times I went back to XP (30 day demo of Vista)...so win win.

That help? :P

For Linux lovers.

Red Hat is the most popular Enterprise Linux distribution, so their latest supported release that has been available for a full year, Red Hat Enterprise Linux 41 Workstation (rhel4ws), will be the first I examine2.

  • When rhel4ws shipped on February 15, 2005, there were 129 vulnerabilities already publicly disclosed in shipping components prior to general availability. On ship day, Red Hat issued 27 security advisories to address 64 of them.
  • During the first year of availability, Red Hat issued 183 security advisories/updates for rhel4ws. If limited to just Critical and Important issues, there were 88 released on 57 different days.
  • During the first year of availability, Red Hat fixed a total of 493 vulnerabilities in rhel4ws. If limited only to those vulnerabilities labeled Critical or Important by Red Hat, the number of vulnerabilities fixed is 214.
  • At the end of the first year period, there were 82 vulnerabilities disclosed but without a patch (that would later be addressed with different fixes and security advisories). Adding that to the fixed vulnerability count tells us that a total of 575 vulnerabilities were disclosed in RHEL4 components during the first year.

and Ubuntu...

At the end of the one year period, there were at least 55 publicly disclosed vulnerabilities in Ubuntu 6.06 LTS did not yet have a patch from Ubuntu. Adding that to the 406 fixed, we get a total of 461 vulnerabilities.

and Mac OS X 10.4

At the end of the one year period, a total of 41 publicly disclosed vulnerabilities in the product did not yet have a patch from Apple, so the total vulnerabilities disclosed for the product including fixed and unfixed was 157 vulnerabilities.

I'm not MS fan boy but the anti Vista is kinda crazy ill-informed. Yes Vista has and had issues, but to warrant backlash same XP got at first I don't believe is fair.

Even Apple have just announced they will use Vista's security technology in some of their software.

You do know that Linux distros cover more software than is available in Vista? Not only that but OSS disclose ALL vulnerabilities, including ones that the community discovers, and MS does not publicize or acknowledge or disclose vulnerabilities to the wild until the last minute. This chart also shows all vulnerabilities on the same level, whether critical or not.

(HalcyonX12 said @ #2.2)
You do know that Linux distros cover more software than is available in Vista? Not only that but OSS disclose ALL vulnerabilities, including ones that the community discovers, and MS does not publicize or acknowledge or disclose vulnerabilities to the wild until the last minute. This chart also shows all vulnerabilities on the same level, whether critical or not.

Notice he's posted numbers for "reduced" versions of linux distros. So it's not ALL the software that come with it. The reduced installs are smaller and closer to what a Windows install is.

(stevember said @ #1)
Again showing Vista IS more securer and XP had a lot more (nearly twice) issues in it's first year.
And that is the conclusion that isn't stated. You can look at the number of patches. You can guess at the number of "unpatched", but never really know that. You deliberately don't count the number of undisclosed (non-public) bugs. There is just too much uncertainty there.

He does take a nice look, and tries to be as balanced as possible, at multiple platforms. One of my earlier complaints about Jeff Jones was his "all" approach to Linux. He seems to have taken the time and effort to balance the configurations as much as possible now, and I applaud him for that.

Nice data, but concluding "X is more secure than Y" is not reasonable given the inherent lack of ability to truly know all that lurks.

In fact, let's use one of the sources of data that Jeff Jones uses for his report: Secunia.

Compare the data for XP Pro, Vista and Red Hat yourself.
You can count the number of advisories, similar to what Jeff does, but not as detailed as his analysis, and you see that Red Hat has twice the number as XP! And Vista has under 30. Now look at the "unpatched" count. Red Hat has none listed. Both XP and Vista show unpatched advisories. What does this tell us? Still not enough.

You cannot judge "more secure" off of these simple metrics. You can just show them in lights that favor a point you want to make. And, if you actually followed those secunia links above, perhaps you already read this yourself, but Secunia puts the following right on those pages:

PLEASE NOTE: The statistics provided should NOT be used to compare the overall security of products against one another. It is IMPORTANT to understand what the below comments mean when using the statistics, especially when using the statistics to compare the vulnerability aspects of different products.

Again, nice analysis, but your conclusion of absolute security is flawed, stevember.

Yes, but we need consider installed volume too.

Vulnerabilities are found by hackers most time, hacker generally target biggest volume so IMHO Vista and XP should be a lot higher than rest.

But I must stop as I'm sounding like MS fanboy, both my servers Linux.

:P Don't worry. I have jumped in to defend Microsoft on more than one occasion, and I dumped them from my PC 5 years ago (only use Windows at work, on the PC they supply me).