February 28^th marked 90 days that Windows Vista had been available to business customers. December brought the first public disclosure of a vulnerability and February brought the first Security Bulletin affecting Windows Vista. Has it been a good or a bad 90 days for security vulnerabilities?

I have analyzed the vulnerability disclosures and fixes for Windows Vista and examined the results in the context of its predecessor, Windows XP, along with several other modern workstation operating systems including Red Hat, Ubuntu, Novell and Apple products to try and answer that question.

For the full details, or to print the report, you can download the report.

For those that only want the executive summary, here is a key chart that shows the publicly disclosed vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed.  Many have commented on previous studies that you can't get a full picture by just looking at issues fixed, so I worked to include disclosed, but unfixed issues to try and present a more comprehensive view .

The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor and a significantly better profile relative to comparable modern competitive operating systems.

Read, Enjoy, Forward.

Best regards ~ Jeff

Full Disclosure:  I work for Microsoft - read my previous blog post, Exactly how biased am I?.