Microsoft this week issued a report analyzing the vulnerability disclosures and security updates for Windows Vista's first year on the market, comparing this information to similar first-year data for its predecessor, Windows XP, and contemporary competition such as Red Hat Enterprise Linux, Ubuntu Linux, and Apple Mac OS X. Not surprisingly, given the deep security improvements that the company made to Vista, Microsoft's latest OS came out well ahead of the other systems.
"The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor," Microsoft security strategy director Jeffrey R. Jones, author of the analysis, writes. "Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP."
Jones points out that his report does not attempt to measure overall security, nor does it prove that one product is "more secure" than the others. Instead, he has provided a vulnerability analysis that he says could form just part of a broader security analysis of the platforms. That said, the data he presents is important. As he asks rhetorically, is it easier to mediate risk on a system that has 10 vulnerabilities in a year or one that has 100 vulnerabilities in a year?
As for the data, Windows Vista led in all categories, scoring the lowest number of fixed vulnerabilities, security updates, patch events, and weeks with at least one patch event. Its margin of victory over the competition was often quite large. In its first year on the market, for example, Windows Vista had 36 fixed vulnerabilities. This compared to 65 for Windows XP, 116 for Mac OS X 10.4, 224 for Ubuntu 6.06 LTS, and a whopping 360 for Red Hat Enterprise Linux 4.
And before Linux enthusiasts claim some sort of bias, Jones actually went to the trouble of discounting non-core components on the Linux systems tested. So vulnerabilities in open source products like OpenOffice.org, GIMP, and various development tools were not counted against those systems. "It is a common objection to any Windows and Linux comparison that counting the 'optional' applications against the Linux distribution is unfair, so I've completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS," Jones noted.
Of course, for most Windows users and implementers, the comparison between XP and Vista is the most important. And here, Vista clearly outshone its predecessor by a wide margin. The numbers of found and fixed vulnerabilities are significantly less on Vista, as were the impact that security updates had on Vista. During Vista's first year on the market, Microsoft shipped 17 security updates over 9 patch events, compared to 30 security updates for XP over 26 patch events during that product's first year on the market. "
"It is easy to see that the combination of a predictable monthly policy and fewer patches has had great impact in reducing the work necessary to manage security risk from 2001/2002 with Windows XP to 2007 for Windows Vista," Jones concludes. "It's a good illustration of \[the\] progress that Microsoft has made with the Trustworthy Computing initiative over time."
The Windows Vista One Year Vulnerability report is available now from the Microsoft Web site.