21 months later, Vista is still more secure than XP

21 months later, Vista is still more secure than XP

Summary: Last October, roughly one year after the release to manufacturing of Windows Vista, I did a comparison of how well Windows Vista was living up to its promise of being more secure than its predecessor, Windows XP. My data source was the Microsoft Security Bulletin Search page, where I tallied up security bulletins rated Critical or Important for the two Windows versions. The result? Vista had an overwhelming edge over XP. So, has Vista maintained its security edge in the succeeding nine months? I did the same comparison for that period. Go see the numbers for yourself.


Last October, roughly one year after the release to manufacturing of Windows Vista, I did a comparison of how well Windows Vista was living up to its promise of being more secure than its predecessor, Windows XP (see "One year later, Vista really is more secure"). My data source was the Microsoft Security Bulletin Search page, where I tallied up security bulletins rated Critical or Important for the two Windows versions. The result? Vista had an overwhelming edge over XP, with a mere 14 security updates compared to 41 for XP with Service Pack 2 during the same period.

Has Vista maintained its security edge in the succeeding nine months? The answer, it turns out, is yes, although the margin has narrowed. I repeated that previous experiment using data from November 2007 through July 2008. The totals are as follows (in both cases, I assume that the most recent service pack is installed, with Vista SP1 counted beginning in March 2008 and XP SP3 in May 2008):

  • Windows XP: 23
  • Windows Vista: 19

The grand total for the period from November 2006 through July 2008, again assuming the most recent service pack is installed:

  • Windows XP: 64
  • Windows Vista: 33

Over the 21-month period, that’s a monthly average of roughly 1.5 Critical or Important security updates for Vista and 3 for XP.

Although it’s difficult to do Apple-to-Windows comparisons, I tried my best, using the Apple security updates page. By my count, between November 2007 and July 2008 there were 22 updates for Mac OS X and its included components, including seven Security Update packages designed to fix multiple vulnerabilities (such as the 13 separate fixes listed in the Mac OS X 10.5.4 update released on June 30). That’s four more than the Vista patch count during the same period and one less than the XP total. Make of that what you will.

My takeaway? The changes in the security model for Vista are continuing to pay off, and as Vista's market share grows, bad guys are turning their attention to vulnerabilities that can exploit both operating systems. When they do, the impact on Vista is likely to be less severe, as in Bulletin MS08-36, which was rated Important for XP SP2 and SP3 but only Moderate for Vista RTM and SP1. And, of course, none of these numbers take into account the improvements in security that accrue when administrators are able to configure a standard user account in Vista that wouldn't work smoothly if at all in XP. That simple change goes a long way to preventing users from being able to compromise a system by running malicious executable code.

Topics: Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • My take

    I don't count security patches, but I regularly have to clean malware from our XP machines but have yet to find anything on our Vista systems.
    • I hear that a lot

      And it matches my experience...
      Ed Bott
    • I agree

      [i]I don't count security patches[/i]

      I agree, that leads to too many counter arguments about what exactly you are counting (and not counting!) when you use the security patch metric.

      Vista was more secure than XP on day 1 because of 2 things:
      1. UAC
      2. IE Protected Mode

      There will [b]always[/b] be bugs in software and saying that product A is more secure with 5 vulnerability while product B is less secure with 10 is not the right way to look at it. Neither are secure. The question is, what can be done through the vulnerability? The answer: much less if the target is Vista. OS X is now the [b]only[/b] consumer OS that does not implement some form of restricted rights protection around its browser. Any exploit that comes in through Safari has full rights to the user's files, arguably the [b]most important[/b] files on the entire computer.
      • It's not just the counting

        The data I show here by and large supports your point of view. In general, vulnerabilities that are Critical or Important for XP are likely to be rated Moderate for Vista, as in the example I showed here and in the previous post. That's because of the changes you and I both point to. So the numbers are lower in many cases specifically because the attack surface is more hardened.
        Ed Bott
        • Although I feel that Vista's security

          model is better than XP's (simply because Vista gives out the least amount of privileges needed to run an app by default whereas XP assumed apps would require all privileges by default), I still don't like saying X is more secure than Y because we have issued more critical patches for Y than X. How many patches have been applied to a system does not necessarily indicate how secure the system is. The number of bugs in any complex software is unknown (including open source). So, if X patches 30 of 40 known bugs and Y patches 50 of 50 known bugs then Y is theorectically more secure than X since X still has 10 unpatched bugs in the software. However, it's also theoretically possible for Y to have more unpatched bugs than X simply because they haven't been discovered yet.<br>
          Counting the number of active exploits also doesn't give an accurate picture since X could have been in the market longer than Y or Y could have a greater market share making it a more lucrative target.<br>
          To me what would make Vista more secure than XP would be how it implemented default options and what features it has that deal with potential compromise of the system.
      • I agree but....

        I agree with your points on Vista, that does make it more secure. Of course that's only my intuition speaking, it has nothing to due with fact.

        While on the subject of facts, the number and rating of patches means nothing. One can only guess at how many vulnerabilities continue to go unreported. There is no definitive way to show that one OS is more secure than the other.

        At best you can compare user experiences. All other data is can virtually meaningless.
        • And I agree with you

          Counting bulletins doesn't seem to me to be a real measure of how secure something is. Flaws that aren't patched are by their very nature not included in that, so who really knows.

          The experiences are more telling, but the relatively small market share of Vista, combined with it's relatively short life so far, may also be a factor. Once more people have had it for a longer time, flaws may be discovered in greater numbers.

          Maybe not, but the bulletins issued really don't address that, and thus I think they don't have much meaning.
          • See my other comment in this thread

            The reality is that the security bulletins covering XP and Vista mostly deal with the same exact issues. It is unusual that an issue affects one but noth the other. The difference when you look more closely is in degree: As the example I used shows, the bulletin for XP is rated Important because it can lead to remote execution of code, where the one for Vista is rated Moderate because it requires user interaction.

            Yes, sheer numbers don't tell you much, but those comparisons of specific bulletins covering the same issue tell a very important story.
            Ed Bott
          • Incongruities

            Counting vulnerabilities, comparing ratings between XP
            and Vista, and, charitably, allowing readers to look at
            OSX's count and "Make of that what you will".

            The improvements to Vista are positive and unassailable.
            The news is good, for literally everyone Mac users
            included. That's why, in light of this spirit of unity, it's
            probably not good form to bring up certain things. But I
            will anyway.

            It has taken years for Windows to get to this place. The
            advantages of Vista are being set against XP. XP can only
            now be criticized properly because it's security can be
            compared to something like Vista? Where were these
            rebukes against XP when it was in it's prime? Where were
            the comparisons to OSX then? Again, it's Windows vs
            Windows in this incestuous loop of "self competition". The
            down side? Well in the midst of the Vista sales pitch, it
            becomes clear that XP was and is insecure. The lack of
            limited user access was a fatal flaw and it remains an issue
            for most of the Windows installed base.

            Secondly, the metric is not only wrong, it's entirely wrong.
            The record of security consequences are the only thing that
            comes close to describing the trench experience and
            everything else is naval gazing. The metric is not this
            week's consequences, or a month's worth, it is the
            platform's record. The effects have been cumulative, the
            lost money has been cumulative, and if we scratch the
            surface of human nature, the resentment has been
            cumulative as well.

            What's wrong with Vista? Nothing, and for many, after a 5
            year wait and a 1 year intermission, and a $200 to $2500
            bill, it's just not good enough. Maybe this is hard for a guy
            who makes his living off Windows books to understand.

            The Windows user sits on a staggeringly high pile of
            consequences, a history of billions of lost revenue, and you
            ask him to declare victory based on what exactly? A
            slightly smaller trickle of potential problems? Are you

            What we get, is "Bottisms". Cherry-picked spin that is
            completely incongruent with the depth, breadth, and scope
            of real working computer use. It ignores the social issues,
            the monoculture issues, and the track record, and does it
            from within a Windows-centric vacuum.

            This is a victory for Windows. It's to be celebrated. But if
            you are going to bring up OSX and make some snide
            inference, you will come all the way down off the knoll,
            stop the sniping, and stand behind both what you say, and
            what you choose "not" to say. We expect balance, context,
            scope and concessions. We will expect to be told how
            long, from today, it will take for Apple's consequences to
            match those of Windows. Get me that metric.

            I will set the last 7 years of consequence free computing
            against your "advocacy" for the next 7, and buddy, you can
            make of that, what you will.
            Harry Bardal
          • Summer reruns

            I think I'll go see the X-Files instead.

            Meanwhile, maybe you can write some new material, Harry.
            Ed Bott
          • What I said about Vista...

            ...largely applies to OSX as well. The hacker ecosystem has not really developed around it, especially outside of the U.S., so I am not sure it's really been tested to the same extent as XP.

            As I said in a previous post, telephones are responsible for billions of dollars of losses to scams a year, and have been for a lot longer than 7 years, yet I don't think it's because they have unpatched flaws, it's because of the people who use them.

            My guess is that a lot of the money you refer to being lost due to Windows is in a similar situation - people who just fall prey to a scam, and would regardless of the platform they had.

            That's on top of the fact that most users know a lot more now about the Internet and it's dangers than they did 5, 6, 7 years go, so comparing what's going on now to the past isn't very accurate.

            Back to the topic of the original post, comparing the bulletins issued by MS, the maker of the two OSs who probably wants to make their new OS which has a bad rep look good, may not be the most objective data to use. And again, who knows what they [i]haven't[/i] found?
          • get your blog (NT)

          • Just to pick one of your points...

            ...[i]Again, it's Windows vs
            Windows in this incestuous loop of "self competition".[/i]

            Well, part of the reason is that one of the main arguments the very vocal anti-Vista have against Vista is XP, and this is something that has been brought up again and again. This has created the atmosphere of "self-competition" and so to then turn around and use that as one of your bases of criticism seems a bit silly.
    • Same Experience So Far

      <--- Same experience as the poster above.

      The people I know that upgraded to Vista have literally stopped calling me every few weeks or so to fix their systems. I think UAC is starting to get regular users to actually think about what they are clicking yea to. It has to be actually changing the behavior of regular users because the only thing standing in the way of what they did before (indiscriminately install crappy malware/spyware loaded software found on the web.) is the UAC prompts.

      Regardless of what some say, I truly believe those prompts are getting people thinking about what they are actually doing.
      • Although the UAC prompts maybe

        helping, I think the main thing is how Vista requires app developers to adjust their thinking. If I have an app that only needs to read a file without modifying such file then I don't need to run it with admin or system privileges (even if it has to create and modify user files, it still doesn't need admin or system privileges). Before under XP the app would have by default been given those privileges (it could have been written with more security in mind); however, under Vista it becomes a pain to run such an app with elevated privileges.
    • Same hear two machines at home (knock-knock)...nt

  • Agrees... <nt>

  • RE: 21 months later, Vista is still more secure than XP

    File this in the "no duh" category! Security was one of the main features touted by Microsoft for the Vista operating system. Add to that stability, scalability, and robustness and you have a foolproof system. It's no wonder that corporations and home users are flocking to it.
    Loverock Davidson
    • .....

      Ah yes the Darwin candidate prattles his typical tripe! ]:)
      Linux User 147560
    • While I agree with the article...

      ...[i]It's no wonder that corporations and home users are flocking to it[/i] - Citation needed.

      Or for that matter, any actual evidence needed.

      Oh wait, sorry, I didn't see it was Loverock. Proceed.