Ninety days after the release of Microsoft's Windows Vista to business customers, the new operating system has a much better security vulnerability profile than its predecessor and several other modern workstation operating systems including Red Hat, Ubuntu, Novell and Apple products.
That's according to Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group.
Jones has published a 90-day report card (.pdf), stacking up flaws reported and fixed in Vista against vulnerabilities covering during the first 90 days of Windows XP, Red Hat Enterprise Linux 4 WS, Ubuntu 6.06 LTS, Novell SUSE Linux Enteprise Desktop 10 and Mac OS X 10.4 (Tiger).
During the period under review, Jones said Microsoft shipped a solitary security bulletin affecting Vista users -- MS07-010, which covered a remotely exploitable hole in the Microsoft Malware Engine. He also called attention to four other reported Vista bugs that remain unpatched, one carring a "high risk" rating.
By comparison, during the first 90 days after Windows XP shipped, Jones research showed that Microsoft patched a total of 14 vulnerabilities, 8 rated critical. "At the end of the 90 day period, a total of 4 publicly disclosed [Windows XP] vulnerabilities did not yet have a patch available from Microsoft," Jones said.
Regarding Red Hat Enterprise Linux 4 Workstation (rhel4ws), Jones said the open-source vendor fixed a total of 181 vulnerabilities, 58 rated "high severity" by the U.S. governments National Vulnerability Database. He acknowledged that many of these bugs covered components that Red Hat ships and supports as Red Hat Enterprise Linux 4 WS, noting that it might be construed as "unfair" to count those.
However, even with RHEL4WS reduced component set, Jones said:
The reduced rhel4ws set of components had 86 vulnerabilities already publicly disclosed prior to general availability. Patches available on the first day of ship addressed 34 of these.
- During the first 90 days, Red Hat fixed 137 vulnerabilities affecting the reduced rhel4ws set of components. 40 of those addressed were High severity.
- At the end of the 90 day period, a total of 64 publicly disclosed vulnerabilities in the reduced set of components did not yet have a patch from Red Hat.
Specifically, Jones reported that:
- Mac OS X v10.4 had 10 vulnerabilities already publicly disclosed prior to the April 29, 2005 ship date and Apple provided fixes for 4 of these during the first 90 days after ship. Four of the vulnerabilities were High severity.
- During the first 90 days, Apple fixed a total of 20 vulnerabilities affecting Mac OS X v10.4, of which 8 were rated High severity in the NVD.
- At the end of the 90 day period, there Mac OS X v10.4 still had 17 publicly disclosed vulnerabilities that did not yet have a patch from Apple.
He also provided comparable numbers for Ubuntu 6.06 LTS and Novell's SUSE Linux Enterprise Desktop 10 (SLED10) to show that Vista's security vulnerability profile was noticeably better.