Windows Vista - 6 Month Vulnerability Report
I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. (Though, I did not give us an "A+", in spite of some of the attributions ;-)
Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Also, I thought it was worth going a little deeper in the analysis to look at the total fixed and unfixed vulns as I did last time, plus these additional views:
- Include a comparison view of Linux distribution workstation builds that exclude vulnerabilities non-default optional components as well as OpenOffice and other applications that do not have equivalents on Windows XP.
- Include a comparison view that excludes Low and Medium severities to just focus on High severity vulnerabilities fixed and unfixed in the first 6 months, and
- A comparison view that combines both of these
For the full details, or to print the report, you can download the report in pdf.
For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed. Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows. (clicking the chart also gets you to the full report.)
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process).
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own ...
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my previous blog post, Exactly how biased am I?.
Also, I'd like to make a shameless plug for my other blog, http://blogs.technet.com/security, where I sometimes post more personal entries such as The Saga of My Luggage & British Air and Building My Windows Vista Media Center - Part 1 - The System.
Enter the Security KnowledgeVault
The resources in this Security KnowledgeVault provide expert advice on everything from creating a multilayered security strategy and deploying a more proactive fight against cybercrime, to realizing when it's time to stop going it alone and seek outside, expert help.
Protecting Your Data on Mobile Devices
Protecting data on mobile devices creates a whole new batch of security headaches. Join experts in this Videocast lead by John Girard, VP and Distinguished Analyst at Gartner, to hear how you can deploy a comprehensive enterprise encryption strategy.
Recent Comments
- McAfee Continuous Compliance
- Balancing Increasing Security Requirements with Decreasing Budgets
- Protecting Your Organization from Internet-Based Threats
- Say "Yes" to iPads While Keeping Your Confidential Data Safe
- What CSOs are saying about Advanced Persistent Threats
- Gain Control of the New Threat Landscape
- The TCO of FTP: Hidden Costs of "Free" File Sharing
- Streamline, Speed and Secure the Supply Chain with Managed File Transfer
- Beyond SFTP: Five Ways Secure Managed File Transfer Can Improve Your Business
- Secure Managed File Transfer: Bringing Coherence & Control to Compliance
- Challenges of Database Patching in Production Environments
- Managing Risk in Changing Times
CSO Corporate Partners
