Windows Vista One Year Vulnerability Report
by Jeff Jones, Security by Numbers
Wed, 2008-01-23 20:17
Topic(s): | | |

Having published a Windows Vista vulnerability report after 90-days and six-months, I am sure it will come as no surprise to folks that I have been working on a one year analysis as well.

One year is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain.  Structurally, this report analyzes Windows Vista vulnerabilities and updates in the context of:

  • Windows XP, its predecessor product
  • Latest desktop products available for a full year from Red Hat, Ubuntu and Apple

I want to give you a peek into the report, so I'll show a few key charts highlighting WIndows Vista relative to its predecessor.  To see the results relative to the other industry OS offerings, you'll need to download the full report.

First, here is the chart showing the full set of vulnerabilities (total disclosures and total fixed) for WIndows XP and Windows Vista during the first year of availability after they shipped.

As a new view on the first year of products, I did analysis of how many days had one or more patches released for the product - I called these days "Patch Events."  Here is a weekly histogram for the Patch Events the first year after Windows XP was released.

Windows XP Year One Patch Events Weekly Histogram

In contrast, Windows Vista administrators only dealt with nine patch events during the first year.

The results of the analysis show that Windows Vista continues to show a trend of fewer vulnerabilities at the one year mark compared to its predecessor product Windows XP (which did not benefit from the SDL).  If you are interested in how it did compared with Red Hat, Ubuntu and Apple Mac OS X, you'll need to download the full report.

If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive.  If you don't share that opinion, then they still stand on their own ...

Read, Enjoy, Forward.

Best regards ~ Jeff

Full Disclosure:  I work for Microsoft - read my thoughts on how that affects my analysis in Exactly how biased am I?.

» read more from Jeff Jones | post a comment
Ads by TechWords
Post a comment
The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.
* Denotes a required field
VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WHITE PAPER
Discover whether hosting is your smartest choice for enterprise messaging.

GoogleTo host or not to host? Thats the question for many CIOs as the volume and complexity of enterprise messaging continues to skyrocket.

» Read the Paper