February 28th marked 90 days that Windows Vista had been available to business customers. December brought the first public disclosure of a vulnerability and February brought the first Security Bulletin affecting Windows Vista. Has it been a good or a bad 90 days for security vulnerabilities?
I have analyzed the vulnerability disclosures and fixes for Windows Vista and examined the results in the context of its predecessor, Windows XP, along with several other modern workstation operating systems including Red Hat, Ubuntu, Novell and Apple products to try and answer that question.
For the full details, or to print the report, you can download the report.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Many have commented on previous studies that you can't get a full picture by just looking at issues fixed, so I worked to include disclosed, but unfixed issues to try and present a more comprehensive view .
The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor and a significantly better profile relative to comparable modern competitive operating systems.
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Even the SP1 is not close the most critical errors in Windows Vista. We all strongly hoped, but all hopes were in vain!
First of all, I read "Exactly how biased am I?"; kudos to you.
I will qualify my comments/questions by saying I only found the "ON" switch 8 years ago and I quickly looked for a solution other than Microsoft. (Something about the way the manual for 98SE was written that got under my skin.)
It seems to my untrained eye that all this is comparing apples to oranges. Would it not be more appropriate to compare RHEL4 to Longhorn and SLED9 to Vista? Or is Vista a stand alone Enterprise solution now?
Also if I may point out, aside from the wonderful low count of vulns that you've shown here, I recently bought my wife a new laptop with Vista preinstalled and just last night the new anti-virus I was loading on it still had 23,000+ signatures and two assorted truckloads of trojans and worms to look for. This is secure by design?
Conversly, the only thing that's ever crashed my Mandrake/Mandriva system is me.
Oh and by the way, so you can pass this on to the guys in programming, Vista still dogs the processor something terrible. I burned a Mandriva One disk and had Matisse running from the Optical Drive and it runs just as fast and boots faster.
I think the upshot of most any comparison to an audience like you'll get here is, and I know I'm throwing gasoline on the fire, what if Red Hat had been able to spend $6+ BILLION Dollars and 5 years in the developement of RHEL5? Where do you think the statistics would be then?
But I don't expect you to shoot yourself in the foot either.
Your chart shows XP also getting off to an excellent secure start.
And we all know what happened after that!
You must be kidding?! What kind of protection are we talking about? XP is never been as secure... Even in the start time and after the appearance of each SP's of that OS, it's remained unsafe.
http://www.eweek.com/article2/0,1895,1951186,00.asp indicates that it's well-known that Microsoft silently fixes security vulnerabilities. Contrast this with Linux, where the patches are often well-publicised. How do you account for this open versus secret skew?
Additionally, I'd be *very* interested to know what components were on your "reduced" RHEW. Ubuntu, well, Ubuntu by my count has over 7,000 components (dpkg -l '*' | wc -l). How many equivalent components does Windows Vista come with?
But there were 62 vulnerabilties for OS X this year so far and just last week there were 45 in a megaupdate. How did your chart show so few for OS X?
George,
This particularly report compares and contrasts the first 90 days of availability for each product. So, for example, that is the first 90 days that OS X Tiger was available, as opposed to concurrent with the first 90 days of Vista.
However (I am a bit behind, but) I am going to post monthly scorecards similar to the January one I posted that will include "last 3 months" and "year to date" numbers. The most recent Apple patches won't be reflected in the February one, but will be in the March, and subsequent, scorecards.
Regards ~ Jeff
George, your desperation shows no bounds. Did you even read the report? It covers the first 90 days after release. Stop obsessing about Lynn Fox and go answer Thomas
http://www.matasano.com/log/730/george-ou-goes-all-in-on-dave-maynors-wifi-findings/
Stop pretending you haven't seen it and man up!
George, chart only shows vulns disclosed 90 days after release. It obviously doesn't count this year vulns for OsX. Looks like it has gotten worse for Apple.
Apple still the least active in the wild vulnerabilities that affect it.
Vista has MANY MANY more vulnerabilities that affect it, many are carry-overs of old XP vulnerabilities which they aren't counting, or of windows based applications and third party software.
The way vulnerabilities are counted for Vista is highly questionable.
According to this XP was hardly vulnerable out of the box when it was new....ummm....have you put a virgin unpatched XP machine on the net...how many seconds does it take to get compromised on average again?
Put the same unpatched virgin Mac on the net...oh wait there are a lot and there are hardly any that have been compromised.
There are lots of ways to manipulate security statistics.