Once Again Microsoft Says Windows Vista 'Most Secure'

Trying to sway public opinion about a flailing product, Microsoft has reportedly once again boasted about the security of Windows Vista, claiming that the operating system had 36 vulnerabilities in its first year compared to the 65 found in Windows XP during that same period. Analysts remain skeptical.

"I think that it's fair to say that Windows Vista is proving to be the most secure version of Windows to date. Our investments in the SDL (Security Development Lifecycle) and our defense in depth approach to building Windows Vista seem to be paying off," wrote Austin Wilson in a recent Windows Vista Security blog post.

Wilson credits User Account Control (UAC) that makes it easier to run standard user accounts rather than administrative accounts and Internet Explorer (IE) Protected mode built into Windows Vista that prevents IE7 from altering user or system files and various settings without consent from the user.

A new 24-page report published by Jeff Jones, Security Strategy Director in Microsoft's Trustworthy Computing Group shows that Windows Vista also exhibited fewer vulnerabilities than other operating systems over a one year period -- comparing the vulnerabilities found in Windows Vista to Windows XP, Red Hat RHEL4 reduced, Ubuntu 6.06 LTS reduced and Mac OS X 10.4, aka Tiger, citing 'significantly fewer vulnerabilities' in Windows Vista. This is the third 'report' on Windows Vista security Jones has published.

Eric Schultze, Chief Technology Officer of St. Paul, Minnesota-based Shavlik Technologies calls it an apples-to-oranges comparison. "When you start counting vulnerabilities, it's a matter of defining vulnerabilities. For example, if a bulletin is released for Internet Explorer, that's one patch for IE, Microsoft may have broken it out to say there are five distinct issues fixed in this patch" he said. "Is that five vulnerabilities or is that one vulnerability because it's one patch?"

Wilson goes on to state that during Windows XP's first year updates were released on 26 separate occasions. Combined with the move to a predictable monthly release schedule for updates and decreased vulnerabilities, Wilson claims Windows Vista had 9 days in its first year.

Like others, Schultze remains skeptical, noting that while what Wilson states is accurate, he's only presenting numbers that come out in a favorable light. Wilson claims there are a certain number of vulnerabilities on Windows Vista that were lower severity than on Windows XP. Wilson doesn't tell you how many patches were more critical on Vista than on XP.

Dave Marcus is the Security Research and Communications Manager of McAfee Avert Labs. He says Wilson offers some good points, but believes it's still early to claim a victory for Vista. "Wilson put forth a good argument. His stats are valid, but I think he fails to take into account that most businesses have not deployed Vista, nor have most consumers," he said. He also noted that while Vista was superior to previous versions of Microsoft operating systems from a security standpoint, many of these features were only available in 64-bit versions of the operating system and a lot of organizations would be disinclined to invest in the hardware required to use those features.

Marcus expects more corporate Vista deployments and a clearer picture of Vista's security profile once Microsoft officially deploys Windows Vista Service Pack 1 (SP1). Other security vendors including McAfee predict a surge in malware in 2008 for Vista as more people install it.

In a phone interview conducted with InformationWeek, Wilson countered that Windows Vista is already widely deployed, saying Microsoft has already shipped 100 million copies. He also expressed skepticism about a surge in malware, saying the security research community has had a strong focus on Windows Vista since Microsoft distributed beta copies to help identify security flaws at the Black Hat Conference in 2006.

As noted in the article, that focus has yet to offer much clarity. "This is a matter of Microsoft bending the statistics for their own purposes. We could just as easily create the same number of statistics that puts Windows Vista security in a negative light" said Schulze.

Visit Bill's Links and More for more great tips, just like this one!