Microsoft: Windows Vista More Secure than OS X, Linux

by Paul Thurrott, thurrott@windowsitpro.com

Following up on his previous Vista vulnerability report that was released 90 days after the initial public release of Vista, Microsoft Strategy Director Jeff Jones recently published a Vista 6-month vulnerability report. This report examined the state of Vista security in the first six months of the system's availability and answers one criticism about the first report: that it covered too short a timeframe to be relevant. But Jones' new report is controversial for other reasons. You see, the data he provided demonstrates that Vista is, in fact, more secure than competitors such as OS X and Linux.

Big mistake.

For those not familiar with today's tech landscape, OS X and Linux users are among the most stridently vocal about their favorite OSs, and they don't take this criticism at face value: To them, almost any OS is more secure than Windows. To suggest otherwise is hearsay, evidence be damned.

To be fair, both OS X and Linux are successfully hacked far less frequently than Windows. One of the reasons, of course, is that Windows is simply installed on more PCs and is a much more obvious choice for hackers to attack. But the data that Jones presents suggests that Vista, in particular, is subjected to fewer dangerous security bugs than the competition, which is a related (but not identical) conversation. In other words, OS X and Linux might have more severe security flaws. But Windows, obviously, is attacked more frequently in the real world. So which system is really "more secure"?

"Windows Vista continues to show a trend of fewer total and fewer high severity vulnerabilities at the six month mark compared to its predecessor product Windows XP and compared to other modern competitive workstation OSes," Jones writes. "This affirms the early results that we found after 90 days and provides a supporting indicator that the Microsoft Security Development Lifecycle (SDL) process and heightened focus on security is having a positive impact on Microsoft Windows in terms of fewer vulnerabilities."

Jones's report shows that Microsoft released four updates to fix 12 Vista security flaws in the OS's first six months on the market; none were rated high severity. Additionally, four other Vista security flaws were identified in this time period but haven't yet been fixed, with one flaw rated high severity. Jones then compared this information to similar data for Windows XP, Red Hat Enterprise Linux 4 Workstation (using a reduced component set installation), Ubuntu Linux 6.06 LTS reduced component set, Novell SUSE Linux Enterprise 10 reduced component set, and Mac OS X 10.4.

Although XP compared favorably to Vista, the other OSs did not: The Linux-based OSs and Mac OS X suffered from more fixed vulnerabilities, more unfixed vulnerabilities, and more high severity vulnerabilities in their first six months of release than either Windows version. And Vista proved to be the most secure OS, by these measures, overall.

Naturally, OS X and Linux partisans can point to several offsetting concerns, such as the high rate of attacks for Windows-based vulnerabilities. But Windows users can at least take solace in the fact that Microsoft's SDL appears to be having a positive effect on its products. And Jones promises a follow-up report at the one-year anniversary of Vista's release. Expect that report to also be highly controversial.

If you're interested in Jeff Jones's report, you can download the PDF from the CSO Web site.
http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Report.pdf