I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions ;-)
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
- Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
- Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
- A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own ...
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security, where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
While this is an interesting metric, it is near useless in the real world. Discovered flaws and patches published are only a small fraction of the whole security picture and present a misleading image of overall security of the competing OS's.
In my view, the simplest way to gauge security is by taking a realistic view. How likely are you to contract a virus for a given OS (this can be broken down in two ways: 1) assuming that you use the default setup and 2) assuming that you use reasonable precautions). At the end of the day, all that matters is whether the respective companies are meeting the challenges faced by their particular OS's (it can be argued that Windows, as the biggest target, faces the biggest challenge--though this is actually irrelevant to the measure of real world security). By this simple and easily verifiable gauge, it seems clear that OSX and the various Unix branch OS's are far more secure.
You can argue for decades on why that is. Is OSX more secure because of its modular construction or because fewer hackers attempt to hack it in the first place? But at the end of the day, it doesn't really matter. The simple fact is that there are no viruses in the wild for OSX. That, in a very real (not simply theoretical) way, makes it more secure. If you don't want to worry about viruses and pop-ups then there is a clear choice at present.
Will it stay that way indefinitely? Nothing lasts forever. But OSX has a 5+ year track record that seems to suggest it will continue it's leadership in security.
Isaac
I attempted to post a somewhat shorter comment previously, perhaps your filter thought is was spam.
Four things I would be interested to know.
1. As you stated in your report, you removed software which had no equivalent in vista. When you where counting security fixes, did you count fixes to the software that performed the same "out of box" functions? IE Web browser, email client etc.. Before you say it, I did read your report. This particular point was unclear.
2. What version of vista was this count made against?
3. I was unable to find information regarding the US DOD ratings for vista. I was wondering if you either had that information or could point me in the right direction.
4. How does vista stack up in a 90 day review against RHEL5? Obviously to early for a 6 month review, but a preliminary analysis would be helpful.
Good work on the report. Personally I'm tired of reading all the "blah blah conspiracy, blah blah Linux is invulnerable" posts. The numbers show the facts. (BTW I run Linux on my MacBook Pro, take that OSX fanboys! and I hate Windows but I must use it for my gaming habit ;) So I commend you for doing this and I HOPE Linux will show better on your next review!
No matter how good the security of any microsoft product is, its implementation is always a last measure.
Why did it take so long for proper measures to be implemented ? Simply because they could get away with it.
The economics of the microsoft business model demand that as soon as the public has been appeased money "wasted" on security will be re-diverted toward other purposes.
This is in huge contrast to linux where no matter if any commercial Linux distributor would become negligent on security, there will be a party that will implement if for you, simply because a potential failing of the distributor would create economic incentive for a third party to step up and compete with them, a situation impossible with any version of windows.
It's one of the benefits of a free market on an equal playing field.
Coincidentally, this mostly invalidates the "time until vendor distributes patch" metric. Administrators caring for an existing critical installation confronted with a critical vulnerability will be able to replace erroneous code regardless of vendor activity. It might be a temporary cludge that will not see be suitable as an official patch to cover the vulnerability but it will take care of the problem in the meantime, something not possible within a closed-source operating system.
For any large or critical installation this is the difference between administrators sitting around shrugging shoulders and saying "Well, we're waiting for Microsoft. What can you do?" and administrators assessing the real threat to the installation and being able to actively engage the problem.
If your business is important to you, *you* should have control over it regardless of how much security any outside metric promises.
Well, let's see, what all was in the linux distros? was it a full DVD install of ubuntu with everything in it? was it a stripped down install meet the features that windows provides out of the box? I mean, if you're talking about the full OS that includes apache, mysql, nfs, etc, yes, it will have alot of vulnerabilities and not much can be done about that fact.
Let's talk servers, how does a full install of windows server 2k3 match up to a LAMP setup?
Well, the report actually answers your question, so I won't repeat it here... but I'll give you a hint, the report covers more than one installation scenario...
As for servers, I can point you at some role-based analysis that has been done to specifically compare 2k3(+.NET + SQL) with LAMP: http://www.microsoft.com/windowsserver/facts/analyses/secinnovation.mspx. It is a Microsoft-sponsored study, but the methodology is laid out pretty clear, as well as the sources, so you should be able to validate it or duplicate it if you are skeptical.
Where is FreeBSD, Solaris?
Stupid test - doesn't show anything :-(
I personally think that you really can't compare companies in this way. Firstly you got to take into account how companies work. If you look at the graphs, all the open source OS's had more bugs than the closed source operating systems. The fact is that you can't really trust any of the reports that come from any of the closed source propriety operating systems. They don't have to tell you about a bug unless they want to or until they have a patch ready for it. On the other hand the open source based companies have a far more open development process. Red Hat can't hide a bug in its software because most of the software is Open Source. So in the end can you really trust the numbers?
Note: I use Linux and Windows almost every day.
.
don't forget that Jeff Jones works at micro$oft ........
it's unuseful to say more
Jeff, you are forgetting to mention all the security features Red Hat and Fedora have:
http://fedoraproject.org/wiki/Security/Features
http://www.awe.com/mark/blog/200701041544.html
If you were truly unbiased, you would have mentioned the various security features in Linux!
This means the number of *exploitable* vulnerabilities on a properly secured install of certain security-enhanced distributions are much smaller and less severe than the number of vulnerabilities detected.
Another interesting tidbit... why is it that the various distributions have greatly unequal number of security flaws when the software components are essentially the same? We must question the accuracy of your findings.
No, I didn't forget them. I equally didn't mention any of the security features or architecture changes made to Windows Vista (which you didn't mention...).
Either way, if those features are doing their job, then it should be measurable and show up in the data. Let's say you have a code flaw that would have been High severity and allowed a user to run code without one of the new security features, but new improved stack protection knocks it down so now it just crashes a daemon. Flaw still exists, but it is probably a Medium or Low severity now, when it would have been a High severity before.
So, we should be able to look at the vulnerabilities that are (still) found in the products and see if statistically the features you describe are having a positive implact in terms of less severe vulnerabilities.
As to your final question, I think you are seeing the wide variety of differences that exist between distribution vendors. Each of them defines a different minimum/required set of components, for example. Also, each of them have the ability to customize their distro to distinguish it from the others (e.g. Novell no longer uses SELinux, but instead uses AppArmor). Also, they each can have their own QA/testing process that may result in things being fixed before ship (or not). On top of all that, each of those distros represent a different snapshot in time. RHEL4 released on 2/15/2005 and Red Hat fixed a bunch of issues before Ubuntu released on 6/1/2006 and SLED10 released on 7/06. The later releases benefit from the fixes to earlier releases to some degree...
That is just some quick thoughts, but hope they provoke further consideration.
'Let's say you have a code flaw that would have been High severity and allowed a user to run code without one of the new security features, but new improved stack protection knocks it down so now it just crashes a daemon. Flaw still exists, but it is probably a Medium or Low severity now, when it would have been a High severity before.'
Only on windows and if I am not mistaken, only because of your own efforts to have them interpreted that way. Nobody else does this because it not safe to assume that safety net security features haven't been bypassed, disabled, or will otherwise function properly.
But severities for linux are for clean, no-security-features-enabled installs. If you adjusted the severities yourself you'd have better numbers to work from.
Plus, MS tends to downplay their severity descriptions, where in linux they are typically overplayed. If you actually correspondingly adjusted the severities based on the same level of diligence -- for example the systematic security features enabled by default in Vista that aren't enabled in typical vanilla linux but highly stable and available (SELinux, grsecurity/PaX, etc), you'd be closer to comparing apples to apples in a typical server deployment scenario.
The fact is that with MS, you can't do any recompiling to increase security to offset performance, so you can't do a proper tiered deployment where you balance performance and security with the needs of each part of the stack.
And MS has nothing like SELinux. When people say linux, they often mean "how I configure my linux stack", not an out-of-the-box deployment. With Windows, it's the exact opposite.
Get people to lock down linux and windows for particular applications in a tiered deployment and then see what vulns actually apply to them. You're doing the equivalent of running benchmarks on untuned systems. The benefit of linux is that it is so tunable, and you're completely ignoring it.
The arguments around all these so called vulnerability reports are so, so, so "tried and tired", that it is not worthed to comment out. I'll do this just for the sake of the "flame" :)
As of my more than 15 years working with computers, I'm yet to see a compromised Linux box... for Windows lost the count. So at the end of the day this is that really matter, you can tell me that Windows is more secure, but my experience did not prove these "statistics". Even the sentence "Repeating statistics one thousand times, make them true" doesn't work, don't know why ;)
Comparing the linux and windows security is like theorem and axioms. Linux is the axiom it is just secure. Windows is the theorem, you have to prove it.
So please don't cite me those numbers as I said already do a google search and read all the previous discussion rebutting all of arguments you will start showing me now.
I mean if you have to decide what to use Windows or Linux based on security it is a no-brainer.
Tell me you are buying Windows because you like more the GUI (not that I like it), you feel more comfortable and used to it, you want to preserve compatibility with some old program (even that is not so true from what i hear about Vista, yeah can you believe it I haven't even used Vista what a relieve :) ) or some similar reason.
and so on.... when you see vuln. reports just pass on.
In fact most of these reports are from ppl who never used Linux for a long period of time as their primary system to be able to compare objectively. (to repeat i have never used Vista, just clicked abit on the friend computer, not impressed as was in the time they pulled win98,nt..)
Now ask any Linux user and 99.99% have used Windows, so they are the ppl talking from experience point of view, not from reading other misleading reports on the net, sponsored most of the time from Microsoft.
Nothing against ppl using Windows there have to be choices, but please stop pushing these pseudo-reports under our noses, even for some reason in the future if they become true nobody will buy it, because we have "tried" them so many times in the past and we are already "tired" of them.
As a final note let me mention don't take this personally, I just had some free time to bust off but now have to work, so I can't do more "falming" :))
Jeff - Would you publish the package lists you used for what you refer to as the "reduced Linux builds"? Even a trimmed down Linux install has a bunch of software in it that is not required to establish a desktop that is comparable a standard Windows install (with no add-on software).
The arguments around all these so called vulnerability reports are so, so, so "tried and tired", that it is not worthed to comment out. I'll do this just for the sake of the "flame" :)
As of my more than 15 years working with computers, I'm yet to see a compromised Linux box... for Windows lost the count. So at the end of the day this is that really matter, you can tell me that Windows is more secure, but my experience did not prove these "statistics". Even the sentence "Repeating statistics one thousand times, make them true" doesn't work, don't know why ;)
Comparing the linux and windows security is like theorem and axioms. Linux is the axiom it is just secure. Windows is the theorem, you have to prove it.
So please don't cite me those numbers as I said already do a google search and read all the previous discussion rebutting all of arguments you will start showing me now.
I mean if you have to decide what to use Windows or Linux based on security it is a no-brainer.
Tell me you are buying Windows because you like more the GUI (not that I like it), you feel more comfortable and used to it, you want to preserve compatibility with some old program (even that is not so true from what i hear about Vista, yeah can you believe it I haven't even used Vista what a relieve :) ) or some similar reason.
and so on.... when you see vuln. reports just pass on.
In fact most of these reports are from ppl who never used Linux for a long period of time as their primary system to be able to compare objectively. (to repeat i have never used Vista, just clicked abit on the friend computer, not impressed as was in the time they pulled win98,nt..)
Now ask any Linux user and 99.99% have used Windows, so they are the ppl talking from experience point of view, not from reading other misleading reports on the net, sponsored most of the time from Microsoft.
Nothing against ppl using Windows there have to be choice, but please stop pushing these pseudo-reports under our noses, even for some reason in the future if they become true nobody will buy it, because we have "tried" them so many times in the past and we are already "tired" of them.
As a final note let me mention don't take this personally, I just had some free time to bust off but now have to work, so I can't do more "falming" :))
Jeff, this is good stuff. But I can't help wondering how the graph would look if you plotted the data for each operating system in the same time period - that is, what if all vulns measured on the graph, regardless of OS release date, were from the period Nov 2006 --> Jun 2007?
(Note, I asked this question last night, but apparently it was considered spam. So I'm trying again.)
That can be done, but I generally consider it a less useful comparison in terms of the security quality of a shipping product.
However, I do keep monthly scorecards and will do a 6-month and year-end concurrent comparison for products. It gives a different viewpoint and one that reflects the most recent experience of users, depending on which OS they might've been using.
Interesting read! But I'd really like to see what kind of security problems were found in the three Linux distributions - do you have lists of their vulnerability fixes similar to the list of Vista fixes you included in the PDF? Would be interesting to see where exactly the distros are failing.
(Btw. there seems to be a validation problem when using Firefox - it just says "Validation error, please try again. If this error persists, please contact the site administrator." there, without actually showing that there is an error; in Epiphany, it works fine).
Please provide the rpm -qa of each of the Linux OS installs, you claim to have done that in the pdf, but you didn't disclose the list. By clicking a graphical box doesn't allow one to ensure certain packages that one wouldn't want installed. Also you fail to mention if the packages that you deemed to be part of the core build, were running after the install, usually they are not on by default. Also I can tell that you are not comparing similar OS layouts since the three Linux distributions you listed have such a huge gap between them. If you were truly comparing apples to apples, the differences should be in the teens.
Also if you tend to look at the vulnerability reports, a high majority of them are DoS vulnerabilities, and not something like "DFSR.exe remains available for remote connections for 2 minutes after Windows Meeting Space is closed." Medium? Are you kidding me, that is considered medium? I find your report very bias and misleading due to the missing information.
I'm not quite sure how you could show it, but it would be interesting to see an indication of how many of these flaws were actually exploited (or where malicious exploits were created to take advantage of them).
I'm not trying to state some of the flaws aren't serious, but more that its always good to gauge the level of uptake amongst malicious parties as this affects risk of system compromise as well.
Unfortunately due to its dominance Windows always seems to haver a higher uptake that some of the other options. But of course its great to see Vista making significant progress on this front!
Make your choice
[ ] Unpatched 0% (0 of 90 Secunia advisories)
[ ] Unpatched 0% (0 of 295 Secunia advisories)
[ ] Unpatched 5% (5 of 103 Secunia advisories)
[ ] Unpatched 13% (4 of 32 Secunia advisories)
[ ] Unpatched 14% (18 of 126 Secunia advisories)
[ ] Unpatched 14% (22 of 157 Secunia advisories)
[ ] Unpatched 16% (30 of 186 Secunia advisories)
[ ] Unpatched 20% (2 of 10 Secunia advisories)
and look up:
http://secunia.com/product/12470/?task=statistics
http://secunia.com/product/4668/?task=statistics
http://secunia.com/product/96/?task=statistics
http://secunia.com/product/6778/?task=statistics
http://secunia.com/product/4813/?task=statistics
http://secunia.com/product/1/?task=statistics
http://secunia.com/product/22/?task=statistics
http://secunia.com/product/13223/?task=statistics
Still surprised!?
Stay tuned ... thanks to Robert Vamosi for writing an article about Secunia Unpatched data in March, I will shortly post an update about this topic...
Seems to somewhat represent what was shown in the report. Over time Ubuntu and Redhat have fixed their problems. But I still say Vista is still doing a very good job with security. And even though Ubuntu and Redhat have fixed their problems, on a timeline they didn't do as well early on as Vista.
RHEL and Ubuntu are 99% identical under the hood. Both use the 2.6 kernel, same version of Gnome, similar libraries, etc.
Because security is mostly a configuration issue, and a huge part of the work of distributions is configuration.
When all doors are closed by default, an unexpected breach in one wall will be stopped or mitigated by another wall.
Without actually specifying the sets in detail in your report, it is not really possible to verify your results. So it's worthless FUD.
You only list CVE's for Windows. I'd like to see a list for the Linux distribution, too.
I presume you didn't exclude mailing applications in Linux, but f.i. you didn't mention critical bugs in Outlook Express in your report:
CVE-2007-1658
CVE-2007-2225
CVE-2007-2227
To be fair, you need to count bugs in Microsoft Apps that normally run on Vista, too :-p
I see where you were aiming with this, Jeff ... but I wonder. If you compared all of these OS's (and maybe toss in a BSD) over the same time period, how would it look then?
I'm slightly confused by the numbers for Windows XP. The report says there were 36 bugs fixed by Microsoft in the first six months. Does that mean all the security bugs since found and fixed by Microsoft didn't exist on day one when Windows XP was released? Do all the recent security bugs (like the ANI, WMF ones) only affect Windows XP after that six months?
In total, how many security bugs have been found in components that shipped with Windows XP in 2001?
No vulnerabilities after the first 6 months were addressed here in any OS. The report clearly says that.
"Does that mean all the security bugs since found and fixed by Microsoft didn't exist. . ."
If no one knew it was there how could they fix it? I'm sure if you found something tomorrow and I ask you the day after if it existed two days ago ( today ). You'd say yes.
Jeff, Great report! Just wanted to let you know that it appears that the Vulnerability Disclosures section on Page 4 lacks a specific count in the first sentance. It appears that the paragraph is supposed to read:
"In addition to the vulnerability fixes outlined in the previous section, there were 15 vulnerability disclosures during Windows Vista's first 6 months that have not yet been addressed by a fix."
BTW, can you please shoot me an e-mail? I'd like to chat with you briefly about this report. Thanks!
You might like to read another interesting analysis regarding the first 6 months of Windows Vista.
http://www.vista4beginners.com/Windows-Vista-problems
Being off topic and all, it's interesting that the post you linked to points to problems with 3rd Party Drivers and Applications being the biggest drawback to Vista itself.
The security report deals with the OS itself, and stands on it's own. Microsoft can't be responsible for every company that wants to code applications/drivers for it's OS. I'd be more angry with the 3rd party developers myself.
Great writeup Jeff. It looks like a lot of time and effort went into the report.
If you're not going to hold ms responsible for the software of 3rd party developers, then how can you not do the same for linux and still have an accurate report? But, if you don't include third party software, how can you judge linux, seeing as how it is almost entirely composed of third party software... So Jeff, were the drivers included in this report? Another thing I'd like to ask, how long were the testing cycles for each of these OS's? I know testing is pretty much the driving force behind security, but since linux is constantly being revised, its test cycle includes the time that it is in circulation. Also, I have to say that I dispute your suggestion that having access to software code does not make a difference in the discovery of bugs in software... The last thing that I'd like to point out... I believe there is a difference between vulnerability and 'major security issue' in Microsoft's eyes such as the the netbios protocol which is... fairly unsecured (at least from what I've seen from XP, it's one of the very few vulnerabilities I know how to exploit myself) Since you did the same on multiple occasions for me and my fellow linux fanatics, I'll come right out and show my bias by saying that I'm biased as a linux user who has ever had the opportunity to use vista (although I am even now still grudgingly running XP on my main PC for gaming uses). And besides, I'm not the security expert here, just a concerned teenager (and for that matter, some of my information may still be incorrect).
That's interesting detail... I wonder how many fixes under Linux actually went into drivers, and how this report would look if Vista included all those drivers as well (or does it? I really don't know that, but maybe someone else could shed some light on it?)
(Btw. who exactly is the "site administrator" here that should be contacted if the blog repeatedly refuses a valid comment?)
Em, drivers in Linux are open source for the most part, meaning all holes are patched immediately, as opposed to the Windows world, where no drivers are open source and they don't get patched. Think of it this way: Microsoft can patch a million kernel holes, but if a third party driver is exploitable they've done nothing.
That story (http://www.vista4beginners.com/Windows-Vista-problems) is totally irrelevant. The topic of the current thread is Vista security. Your link has nothing to do with Vista security. Please stay on topic.
Yes Jeff, read some other critical text to vista. I think I never read a text from you.
Stop with this! Or I'll die from laughing too hard and too long!!!
Every time a critic is said about Vista, you always answer (to summarize) "no way, Vista is better". Don't say the contrary, you would lie..
First of all: vulnerability report on Vista, done by someone who's working at M$ (yeah, I know, don't repeat that is is written. Thanks, I can read).
How unbiased you say you are and you may be, if someone is saying he is the best whatever in the world, you would have some (serious) doubts. If someone else is telling the same thing about the other one, you are more likely to believe him. If that person is recognized for his good opinions and analyses, you would believe him even more.
First conclusion: You are open to criticism (a little though), but someone that is analysing his own product and compares it to others....
It is a fact: it is uncredible, in any way you'll turn it.
Everyone says his product is better than the product from the competitors. It doesn't make it better...
2) Don't remember who said that, but yes. Mac and other *nix vulnerabilities (bugs also) are repaired far more rapidly than windows ones. Don't ask stats, it is a fact that millions of users could approve. Me too, I use windows 500% more than mac or linux (mac and win xp at home). Why, *nix world has far more people who'll try to fix it. For Mac, it's a different story, but they care more about there customers (indeed, commercial reasons also).
I'll take an axample with a bug (sec related or not). Report it to Mac trough the reporting system, max 2-3 months later, you will be sure it will be fixed. On XP (pro), I have the same trouble over and over again, and this started two years ago!!!
3) Nothing to do with, but this just makes me crazy.. Well, made, I get rid of Vista.
Nice looking OS you have there! (it is true)But, where do all the ideas come from? Like that transparent toolbar.. You guys have some really good ideas!
But consider this:
OS X 1.4 Beta (or not) : Memory usage - idle: ca. 230MB
Vista Beta rc2 : Memory usage - idle: ca. 950MB
Just try to do something by your own, be creative! But apparently, that word isn't in the MS dictionary or yes, there has to be written: creativity: looking for interesting ideas and just take them over.
You will say, oh, another mac freak. Just face the reality! Facts are there. At least, in the linux world, they have more creativity. Vista looks far more close to OSX than any linux distribution and has more 'originalities' that aren't present in OSX.
Whatever, I'll get back to the topic.
4) What is the point of comparing vulns after a 90 day period?
3 months gives time to discover a lot. But this CERTAINLY not can tell if one system is more secure than another. Even a year is short term, especially for windows, which doesn't changes of version every year. (and otherwise I would be ruined also... :
As a student:
OSX 10.4 : 48$
Win Vista: 300$
)
5) More secure.. From what point of view?
"vulnerability report" What about virus vulnerability?
I don't even have an anti-virus on my mac. My system is running for 3 years now. Scanned it recently, still no virus.
My XP is running for 2 years. AVG is doing it's work and cleaned a lot of virusses, worms and whatever (I don't download though)! Linux, whatever dist, never met a virus neither. So which one is more vulnerable ?
Solution: change the title of your report.
6)
The results of the analysis show that Windows Vista has an IMPROVED security vulnerability profile OVER ITS PREDECESSOR and a °°°SIGNIFICANTLY°°° BETTER profile relative to comparable modern COMPETITIVE OSes.
Traduction:
Vista is better (since the results are better) than XP.
But way more better than other OSes!
So, by deduction, you say that XP is better than other OSes. Oh, but it is about that first 90-day period, so it is true. So I send you back to point 4.
But yes, M$ has done a good job (apparently, I didn't tested it yet) with improving security comparing to XP. That is a fact we can't deny.
Maybe, I don't know, it is also a lot harder to secure windows than any other OS (referring to the amount of code lines)?
By the way, the statement 'Vista is more secure than anything else' maybe is true IF you ONLY base on the report. But that is a temporary statement and I have the feeling this will rapidly change. Am I the only one?
And as there has been said many times before. Security is NOT ONLY about vulnerabilities.
=> 7)
You must have a global and general (normal user) point of view.
Yes, most *nix dist. are maybe not as well secured from the start as Vista. But why normal users can't secure *nix that easily? Because they are used to windows and are completely desoriented. It is another way of working. Still, it is very easy to secure *nix for a normal user. People don't like to change habits, especially at work. The best example are user passwords.. policies oblige them to change passords. They change from for ex. frog1 to frog2. So what about using something else than windows? Answer: are you mad?? We will need months of training etc...
This doesn't mean it is more difficult or not and certainly doesn't influence the security of a system, as some said.
There would be many more to discuss, but I'll conclude with this:
If you don't want people to discredit your report anymore, you should not call your report "vulnerability report" since you are not covering all the vuln. aspects and most things still have to be discovered.
Still, this kind of researches should be done by an independent authority, like someone else said before.
chhers ;)