Last October, roughly one year after the release to manufacturing of Windows Vista, I did a comparison of how well Windows Vista was living up to its promise of being more secure than its predecessor, Windows XP (see "One year later, Vista really is more secure"). My data source was the Microsoft Security Bulletin Search page, where I tallied up security bulletins rated Critical or Important for the two Windows versions. The result? Vista had an overwhelming edge over XP, with a mere 14 security updates compared to 41 for XP with Service Pack 2 during the same period.
Has Vista maintained its security edge in the succeeding nine months? The answer, it turns out, is yes, although the margin has narrowed. I repeated that previous experiment using data from November 2007 through July 2008. The totals are as follows (in both cases, I assume that the most recent service pack is installed, with Vista SP1 counted beginning in March 2008 and XP SP3 in May 2008):
- Windows XP: 23
- Windows Vista: 19
The grand total for the period from November 2006 through July 2008, again assuming the most recent service pack is installed:
- Windows XP: 64
- Windows Vista: 33
Over the 21-month period, that’s a monthly average of roughly 1.5 Critical or Important security updates for Vista and 3 for XP.
Although it’s difficult to do Apple-to-Windows comparisons, I tried my best, using the Apple security updates page. By my count, between November 2007 and July 2008 there were 22 updates for Mac OS X and its included components, including seven Security Update packages designed to fix multiple vulnerabilities (such as the 13 separate fixes listed in the Mac OS X 10.5.4 update released on June 30). That’s four more than the Vista patch count during the same period and one less than the XP total. Make of that what you will.
My takeaway? The changes in the security model for Vista are continuing to pay off, and as Vista's market share grows, bad guys are turning their attention to vulnerabilities that can exploit both operating systems. When they do, the impact on Vista is likely to be less severe, as in Bulletin MS08-36, which was rated Important for XP SP2 and SP3 but only Moderate for Vista RTM and SP1. And, of course, none of these numbers take into account the improvements in security that accrue when administrators are able to configure a standard user account in Vista that wouldn't work smoothly if at all in XP. That simple change goes a long way to preventing users from being able to compromise a system by running malicious executable code.