Report: Vista more secure than OS X and Linux

By Ironman273
in Back Page News

 Share

Recommended Posts

Grand Master

Ironman273

Posted
Posted
Report: Vista more secure than OS X and Linux

Posted Jun 22nd 2007 7:58AM by Thomas Ricker

Filed under: Media PCs, Laptops, Desktops

dynomite-vulnerability_larg.jpg

Attention Linux, Vista, and Apple fan boys: put on your gloves... it's time to rumble! A 6-month vulnerability report issued by Jeff "Security Guy" Jones has caught the eye of Redmond and the ire of places beyond. The report which bases its security assessment upon vulnerabilities found (not actually exploited) claims that Vista is "more secure than OS X and Linux." In fact, the much maligned XP even crushes the competition using their calculations. Of course, it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion as to the integrity of the data. Still, as incomplete as the assessment may be, it certainly appears to be a good showing for Vista considering the vast community of hackers attempting to thwart its security. We can predict what Billy G's probably saying right about now: Dy-no-mite JJ!

Source

Discuss!!! :p

/me runs and hides...

Contributor

Jamie9

Posted
Posted (edited)
Can't take this report seriously because of the picture they used as a background to the graph.

They didn't use that picture, engadget seems to have added it, the original report doesn't have any background.

----

I really don't know why people bother with these reports, even if they're correct. All it does is start a million complaints from Mac and Linux users claiming OSX/[insert Random Linux Distro] is better because [insert random unrelated reason].

Edited by Jamie9
Mentor

Aleck79

Posted
Posted (edited)

... bullsh*t

Of course, it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion as to the integrity of the data.

and looks to me that Vista still has more UNFIXED vunerabilities

Edited by Aleck79
Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted
... bullsh*t

looks to me that Vista still has more UNFIXED vunerabilities

Pure speculation! The fact is, there is no facts on how many "unfixed' vulnerabilities there are.

There is more to security than comparing the number of patches. The severity of these flaws. How long from identification to patch (time to repair). And this must be done looking at how they all interrelate to each other. A local DoS issue left open for a year is less of a security risk than a remote system-level compromise left open for a week.

Then, to be fair, you need similarly-configured systems.

This is comparing just a number of patches on systems that are not identically configured. What does "Vista" ship with? Precious little, other than the OS. What does RHEL, or Ubuntu ship with? Tons of stuff.

If this gentlemen is going to try to be taken seriously by me, he needs to do the serious research and work to do a proper comparison.

I know where I place my trust, and it isn't with Microsoft.

Grand Master

John S. Veteran

Posted
  • Veteran
Posted

A quick look at the graph merely illustrates that it's had more vulnerabilities that needed to be fixed in it's first 6 months, not that its more secure. If anything the graph shows the opposite, those with fewer vulnerabilities are the more secure OS's.

Microsoft better at patching XP than Vista

IDG News Service 06/21/2007

Robert McMillan, IDG News Service, San Francisco Bureau

A Microsoft Corp. security executive released data Thursday showing that, six months after shipping Windows Vista, his company has left more publicly disclosed Vista bugs unpatched than it did with Windows XP.

In total, Microsoft has patched 12 out of 27 disclosed Vista vulnerabilities in the six months after it first shipped last November. During XP's first six months, Microsoft's security team patched 36 out of 39 known bugs.

The data was published by Jeff Jones, a Microsoft security strategy director, who said that overall, Vista was doing better than XP. "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to its predecessor product, Windows XP," he wrote.

Jones didn't address the larger number of unpatched vulnerabilities, but he did note most of the unpatched Vista bugs were not critical. Microsoft had left only one high-severity Vista vulnerability unpatched during the period. At the end of XP's first six months, there were two high-severity bugs that were unpatched.

Microsoft patched 23 high-severity XP bugs during its first six months, compared with only one high-severity Vista flaw.

Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.

He published the data in an effort to show how Microsoft's software development methodology, called the Security Development Lifecycle (SDL) is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.

"This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. "If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don't actually write the majority of the packages they include," he said via e-mail.

"Alternatively, force Microsoft to include all vulnerabilities in common third-party software," he added. "For example, the thousands of exploitable ActiveX controls that... vendors include with a Windows system."

According to Randy Abrams, director of technical education with antivirus vendor Eset LLC, it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers.

But Microsoft has stepped up its security practices, he added. "I think their Security Development Lifecycle initiative has improved the quality of the code," he said.

Grand Master

Linkinfamous

Posted
Posted
wait wait wait, didn't Vista come out late january...

vista has been out less than 6 months... rofl

Vista RTMed in November. The copy everyone is using is the same one from then that was released to businesses then. The January thing was just for consumers.

Grand Master

.Kompressor

Posted
Posted

These days I take these kind of reports with a box of salt. (not a pinch like normal) lol :laugh:

They can be very biased.

Only proper companies with integrity, that lookout for consumer interests are worth looking at.

lol

then again... let's see what happens in a year from now...

how many vulnerabilities pop-up.

Veteran

Express

Posted
Posted

And where did IDG get the number of Vista Vulnerabilities as 27?

If you look at Microsoft Security Response, Secunia or other sites. the number is only 10. And critical ones have been fixed. There are a couple of low priority issues which are essentially impossible to exploit.

So I call BS on IDG's article.

Grand Master

Miuku.

Posted
Posted

"Our software, by the way something you can't do anything with has less flaws in programs than other operating systems." Wait, I'll release a Linux distribution that ships with nothing other than a browser, a braindead media player and notepad - woop, I just created the worlds most secure operating system.

Jesus a christ.

Grand Master

SnowRanger13

Posted
Posted

There is a difference between how many flaws and what the flaws are. Look at Ubuntu 6.06 sure they have had a huge number of security fixes but I'm sure half of them don't even effect the average user, being components they don't use.

Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted
If anyone bothered to read the article (click on the graph) you'll see exactly what vulnerabilities he's talking about and the severity of them.

I think that most of the discussion here is that the graph is only of a single metric, and isn't very comprehensive. Certainly not enough to come up with the very broad conclusion that "Vista pwns all"

Mentor

ScottKin

Posted
Posted

I'd like to take this thread and start a small side-bar here:

If you are a Microsoft Windows user, does the fact that the info is coming from Microsoft add more weight behind it?

and now, the b-side...

If you are a Linux user (all variants, since our comments are only focusing on the OS), does the fact that there is info produced by the F/OSS groups that support their data concerning Linux affect your interpretation of their info?

For those that can't understand what I'm trying to say - Does your personal preference and support of one OS make the reliability / stability / threat & vulnerability surface appear to be smaller than the competition?

There are apologists and evangelists on either side of the fence, and they will try to either spin the provided info to make their position appear to be better than the competition. I doubt that anyone posting in this thread would see the competition as being better, simply because both sides are trying to justify their choices - which, IMHO, is a load of cattle-crap.

I have always taken the following stance: If a given software package does what it needs to for you, then good for you - you've struck paydirt. Not everyone likes Windows, and not everyone likes OS X, Linux, etc. It's as if this is some kind of "software jihad", and there is really no reason for it. Being impassioned about something is good - until it gets out of control and heads towards bigotry...of any kind.

There is a reason why UNIX, Linux and it's variants still hold sway against the number of servers running Windows; it appeals to SysAdmins & NetAdmins and solves their IT issues. There is a reason that Windows has the marketshare it has; it appeals to your average, everyday computer users in both Business / Office environments and the home user.

Another analogy: Would I perform better at Nuburgring with a Chevy Truck or with a Ferrari? Would it make sense to pull my boat around on vacation with a Ferrari or the Chevy Truck?

Grand Master

markwolfe Veteran

Posted
  • Veteran
Posted (edited)

^^^ I don't know where this information came from. All I know is that it isn't very complete.

EDIT: By that, I mean the "affiliation" of the original blog writer.

EDIT 2: In the same vein, I didn't post a BPN news article about Linux/Apache servers performing better than Windows/IIS, because it also lacked a completeness, being just a survey. It isn't about which "camp" you are in. It is about doing a complete analysis, and coming to a proper conclusion. Looking at one single stat, and delcaring an overall winner is faulty.

Edited by markjensen
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

  • Recent Achievements

    • Week One Done
      Huge Trailer earned a badge
      Week One Done
    • Week One Done
      Classifyskilleducation earned a badge
      Week One Done
    • One Month Later
      eurospharma62 earned a badge
      One Month Later
    • Week One Done
      With What earned a badge
      Week One Done
    • Week One Done
      Harris Gilbert earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      549
    2. 2
      +Edouard
      169
    3. 3
      PsYcHoKiLLa
      72
    4. 4
      Michael Scrip
      64
    5. 5
      ATLien_0
      64
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!