[ad]
Judging by figures alone, Vista is more secure than Mac OSX and Linux? I somehow find this a rather strange claim, I guess these things are always subjective.
Most numbers can be moulded into any shape you want, and can show any result you like.
According to the numbers given in a new report from Microsoft, Windows Vista has blown away all the major enterprise Linux distributions and Mac OS X as far as having the smallest amount of serious security vulnerabilities in the six months since its release. The numbers were compiled by Jeff Jones, the security strategy director in Microsoft’s Trustworthy Computing Group.
“The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL [Secure Development Lifecycle] and compared to other modern competitive workstation OSes (which also did not benefit from an SDL-like process),” Jones wrote in a blog posting about the report on June 21.
I’ve heard some things about this report though, for example flaws in Firefox WERE counted under Linux, but flaws in IE were NOT counted under Vista.
In the report, available as a PDF download on Jones’ blog, Jones compares the number of vulnerabilities of critical, medium and low severity that have been discovered in Vista with those found in Windows XP, Red Hat Enterprise Linux 4 Workstation, Ubuntu 6.06 LTS, Ubuntu 6.06 LTS—Reduced Component Set, Novell SUSE Linux Enterprise Desktop 10.8, Novell SLED 10—Reduced Component Set and Apple Mac OS X v10.4.
The score, according to Jones: In the first six months of the Vista life cycle, Microsoft has released four major security bulletins that address 12 total vulnerabilities affecting Windows Vista.
Plus the amount of software packages included in these linux distributions are 100x times more than those in Vista, so it’s not really a fair comparison is it? I’m sure you if you counted core services and OS system files, the figures would look a lot different.
It’s a pretty comprehensive article, so do check it out and let us know what you think.
Source: Eweek
eDgE says
I agree that mm statistics like this are very subjective. Not least that Vista is mm closed source etc. If you compared the vulnerability reports from the first six months after release of another widely-distributed closed source mm OS, then Im sure Vista could have the edge. As you said, hundreds of packages are included with most Linux distros. It’s a shame that mm Microsoft have to publish these reports to mm try and convince themselves they are secure…
moons says
Wow thats weird, and numbers like you say, are sometimes very flexible, moreover, i doubt its really true.
I mean, the 2nd or 3rd week vista was released, there were already people who messes around with botnets adding vista exploits to their bots which scans for vista machines and automatically exploit it.
Surprisingly, others who slammed the guy for adding vista exploits saying there wont be many victims due to most people sticking to xp for the time being was actually proved wrong, as the guy was getting over 300-500 bots a day, so he claims.
How true that is, I’ve got no idea but yea, its really a surprise that the report showed Vista having the least of vulnerabilities.
Sandeep Nain says
Well its absurd… even windows XP is claimed as 2nd most secure system after the vista… :) Vista got edge as its still not being widely used… and XP is so mature (with 100s of patches to cover its injuries) that most of the vulnerabilities have been fixed…
that comparison is just not right… and who knows id he was using ubuntu and other distros with latest patches..
backbone says
IMO the fact is that less researchers seek vulnerabilities in Vista, as in XP because XP is more accessible by system resources and more widely spread… anyway that’s my opinion :-\
joat says
Another reason that the report is suspect: it was based on publicly released vulnerabilities for the first 90 days. Combine that data restriction with the normal delay given for “responsible disclosure” and what do you have?
– joat
TheRealDonQuixote says
I think that W32.deletemusic, Trojan.Peacomm, Romario-A and about another zillion worms, viri and other assorted malware would disagree with those “numbers”. I just wrote articles on all three of those lovely yet nasty pieces of code, and they are all aimed at machines running Windows (95 to Vista).
Conclusion, I’ll take either of my linux partitions over my WinXP partition any day. And I will NEVER use Vista! If I could afford it, I would get a Mac over a pre-installed Windows machine. There are just too many hassels with Windows and its outdated structure. Any form of *Nix is just better than Windows for both security and efficiency.
Nobody_Holme says
Hmm… and no corporation ever fudged a report to make themselves look good… is ANYONE fooled, i have to ask?
And I have to agree with the point about disclosure… see if this report looks the same in 12 months, and from sun’s point of view, or novell’s. I’m thinking no.
Daniel says
@theRealDonQuixote
how many worms have you seen for vista?
and if driver manufacturers were going along with the original plan and the driver signing became a reality malware infections would drop in a big way.
It is my understanding that the next version of windows will require signed drivers and lock out the kernel just like vista64 does now.
Come to think of it i believe vista 64 MAY BE the most secure OS
vista 32 is still less secure than the *nixes but its much better than any previous windows.
TheRealDonQuixote says
@Daniel
To be honest, I don’t know too much about viri and or malware for Vista64. As for plain old vista, I am pretty sure that most modern (people are moving towards info gathering and away from viri and worms) attacks that work on XP will work on Vista. As for worms and vista, I can only personally confirm the W32.Deletemusic one for affecting vista. However, the Vista Kernel is still NT based (right?) which leaves it open to pretty much anything written for XP. Also, ‘in my opinion’ the registry is a liability, and there’s no real way to totally protect it.
However, Vista64 may very well be the most secure OS, I have no way to test it. I sure as heck don’t know anyone codeing for it.
In the end the real vulnerability to any OS is the user. To me, it seems that the average Windows user is less knowledgeable, which means more vulnerable, than anyone else. Mac OS X is a little better cause it protects itself from the average user, although safari is a big soft spot to punch at for hackers. People who use *nix are generally more willing to learn a bit about their system, and usually use more than 1 OS, so they are “in general” the least likey to get USED.
Maybe we should change pwn3d to USED, and n00b to USER? ;)
Nobody_Holme says
@TheRealDonQuixote
One assumes Vista64 is still NT kernel, and I KNOW it still has the registry, so I don’t see how it can be all that much secure…
But on the user point, I have to say, the average first time *nix user whos just migrated, probably to Ubuntu these days, is likely to have no extra security, whereas even the total n00b MSwindows user is likely to have something, what with all the security firms advertising on the web these days.
TheRealDonQuixote says
@Nobody_Holme
I would say that the first time *NIX user has come from Windows already having become tired of all its suckness, at least that’s why I went with Linux. Although, you do have a point with the Ubuntu craze. Its too easy to install and not even know that you have no firewall setup or Anti-Vir apps. Ubuntu may be getting too popular for its own good.
On another note, anyone use Vista with those two package updates? Did it fix anything? Just wondering.
Sandeep Nain says
Well yes UBUNTU has given a totally new dimnsion to *nix OS. People who used to be scared of uneasy user interface of *nix systems, now find UBUNTU much easier to use and maintain.. the installation is all so easy and can be done with just one click..
On the same note, hardening a *nix system is not difficut too. if properly hardened I’m sure ubuntu (debian based OS) is much more secure than resource hungry VISTA and for sure XP
TheRealDonQuixote says
Sandeep: I use Kubuntu right now cause I need the pure KDE desktop to match BackTrack. So far Guard Dog is the best balance of control and ease of use for a firewall. KlamAV + ClamAV works well enough for viri. As for spyware and other assorted malware I’m stuck with the CLI and manual scans with CHrootkit.
That’s not too bad for a burgeoning system. Also I run TORk when I feel like being all stealthy. Still, I’ll probably go back to Slax and backtrack when I’m done with my current project.
Daniel says
AAAAHHHH I HATE THAT ADDING CAPTCHA!!! I WROTE A HUGE POST AND I CANT ADD!!!!!
oh well sorry to yell’ ill write it again later
Dan says
Even as a user of VISTA on one of my computers, I think this is pretty much just marketing talk. Of course, the fact the VISTA isn’t exactly popular and doesn’t have a huge market penetration yet isn’t mentioned. I’m sure that there will be plenty of bugs / attacks on VISTA as it is used more.
TheRealDonQuixote says
@Daniel – I got caught with the “Please add # and #” thing enough times that I always copy all my text before submitting, just in case I waited too long and it gets zapped. That way I can paste the text into another comment if it gets lost.
Darknet says
Yeah always copy to the clipboard, sorry about that guys but without extra measures the spam is over-whelming and I always lose real comments.
Nobody_Holme says
ARGH! tried to agree that it catches me sometimes and what do I do? :'( @ my maths skillz.
TheRealDonQuixote says
I have a “spam catching” app/service on my wordpress blog and it sometimes throws out the baby with the bath water. I wish I could have the adding “captcha” thingy. Akismet catches almost all the spam, AND I lose some real comments too. However, its free and I can’t afford my own hosting.
Sandeep Nain says
Well I find this integer adding captcha is better than those image ones.. it sometimes is really hard understand the letters in the image.
bob says
I dont think vista is more secure than other distros. Meta exploits can still attack it. And soon as you install firefox with ie you are vunerable.
More so, numbers can me moulded. I agree with this statment. At our work, we sell clients a vista computer. However, it comes with downgrade XP cd’s. We use these to remove vista and install XP on it. However, microsoft count it as a vista sale. silly hey?
codey says
Thats sad that microsoft thinks there more secure than any other os out there . When they are the most targeted and most used operating system. plus how can he count firefox bug in linux and not ie bugs in vista . something is just not right.