21 months later, Vista is still more secure than XP
Summary: Last October, roughly one year after the release to manufacturing of Windows Vista, I did a comparison of how well Windows Vista was living up to its promise of being more secure than its predecessor, Windows XP. My data source was the Microsoft Security Bulletin Search page, where I tallied up security bulletins rated Critical or Important for the two Windows versions. The result? Vista had an overwhelming edge over XP. So, has Vista maintained its security edge in the succeeding nine months? I did the same comparison for that period. Go see the numbers for yourself.
Last October, roughly one year after the release to manufacturing of Windows Vista, I did a comparison of how well Windows Vista was living up to its promise of being more secure than its predecessor, Windows XP (see "One year later, Vista really is more secure"). My data source was the Microsoft Security Bulletin Search page, where I tallied up security bulletins rated Critical or Important for the two Windows versions. The result? Vista had an overwhelming edge over XP, with a mere 14 security updates compared to 41 for XP with Service Pack 2 during the same period.
Has Vista maintained its security edge in the succeeding nine months? The answer, it turns out, is yes, although the margin has narrowed. I repeated that previous experiment using data from November 2007 through July 2008. The totals are as follows (in both cases, I assume that the most recent service pack is installed, with Vista SP1 counted beginning in March 2008 and XP SP3 in May 2008):
- Windows XP: 23
- Windows Vista: 19
The grand total for the period from November 2006 through July 2008, again assuming the most recent service pack is installed:
- Windows XP: 64
- Windows Vista: 33
Over the 21-month period, that’s a monthly average of roughly 1.5 Critical or Important security updates for Vista and 3 for XP.
Although it’s difficult to do Apple-to-Windows comparisons, I tried my best, using the Apple security updates page. By my count, between November 2007 and July 2008 there were 22 updates for Mac OS X and its included components, including seven Security Update packages designed to fix multiple vulnerabilities (such as the 13 separate fixes listed in the Mac OS X 10.5.4 update released on June 30). That’s four more than the Vista patch count during the same period and one less than the XP total. Make of that what you will.
My takeaway? The changes in the security model for Vista are continuing to pay off, and as Vista's market share grows, bad guys are turning their attention to vulnerabilities that can exploit both operating systems. When they do, the impact on Vista is likely to be less severe, as in Bulletin MS08-36, which was rated Important for XP SP2 and SP3 but only Moderate for Vista RTM and SP1. And, of course, none of these numbers take into account the improvements in security that accrue when administrators are able to configure a standard user account in Vista that wouldn't work smoothly if at all in XP. That simple change goes a long way to preventing users from being able to compromise a system by running malicious executable code.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
My take
I hear that a lot
I agree
I agree, that leads to too many counter arguments about what exactly you are counting (and not counting!) when you use the security patch metric.
Vista was more secure than XP on day 1 because of 2 things:
1. UAC
2. IE Protected Mode
There will [b]always[/b] be bugs in software and saying that product A is more secure with 5 vulnerability while product B is less secure with 10 is not the right way to look at it. Neither are secure. The question is, what can be done through the vulnerability? The answer: much less if the target is Vista. OS X is now the [b]only[/b] consumer OS that does not implement some form of restricted rights protection around its browser. Any exploit that comes in through Safari has full rights to the user's files, arguably the [b]most important[/b] files on the entire computer.
It's not just the counting
Although I feel that Vista's security
Counting the number of active exploits also doesn't give an accurate picture since X could have been in the market longer than Y or Y could have a greater market share making it a more lucrative target.<br>
To me what would make Vista more secure than XP would be how it implemented default options and what features it has that deal with potential compromise of the system.
I agree but....
While on the subject of facts, the number and rating of patches means nothing. One can only guess at how many vulnerabilities continue to go unreported. There is no definitive way to show that one OS is more secure than the other.
At best you can compare user experiences. All other data is can virtually meaningless.
And I agree with you
The experiences are more telling, but the relatively small market share of Vista, combined with it's relatively short life so far, may also be a factor. Once more people have had it for a longer time, flaws may be discovered in greater numbers.
Maybe not, but the bulletins issued really don't address that, and thus I think they don't have much meaning.
See my other comment in this thread
Yes, sheer numbers don't tell you much, but those comparisons of specific bulletins covering the same issue tell a very important story.
Incongruities
and Vista, and, charitably, allowing readers to look at
OSX's count and "Make of that what you will".
The improvements to Vista are positive and unassailable.
The news is good, for literally everyone Mac users
included. That's why, in light of this spirit of unity, it's
probably not good form to bring up certain things. But I
will anyway.
It has taken years for Windows to get to this place. The
advantages of Vista are being set against XP. XP can only
now be criticized properly because it's security can be
compared to something like Vista? Where were these
rebukes against XP when it was in it's prime? Where were
the comparisons to OSX then? Again, it's Windows vs
Windows in this incestuous loop of "self competition". The
down side? Well in the midst of the Vista sales pitch, it
becomes clear that XP was and is insecure. The lack of
limited user access was a fatal flaw and it remains an issue
for most of the Windows installed base.
Secondly, the metric is not only wrong, it's entirely wrong.
The record of security consequences are the only thing that
comes close to describing the trench experience and
everything else is naval gazing. The metric is not this
week's consequences, or a month's worth, it is the
platform's record. The effects have been cumulative, the
lost money has been cumulative, and if we scratch the
surface of human nature, the resentment has been
cumulative as well.
What's wrong with Vista? Nothing, and for many, after a 5
year wait and a 1 year intermission, and a $200 to $2500
bill, it's just not good enough. Maybe this is hard for a guy
who makes his living off Windows books to understand.
The Windows user sits on a staggeringly high pile of
consequences, a history of billions of lost revenue, and you
ask him to declare victory based on what exactly? A
slightly smaller trickle of potential problems? Are you
serious?
What we get, is "Bottisms". Cherry-picked spin that is
completely incongruent with the depth, breadth, and scope
of real working computer use. It ignores the social issues,
the monoculture issues, and the track record, and does it
from within a Windows-centric vacuum.
This is a victory for Windows. It's to be celebrated. But if
you are going to bring up OSX and make some snide
inference, you will come all the way down off the knoll,
stop the sniping, and stand behind both what you say, and
what you choose "not" to say. We expect balance, context,
scope and concessions. We will expect to be told how
long, from today, it will take for Apple's consequences to
match those of Windows. Get me that metric.
I will set the last 7 years of consequence free computing
against your "advocacy" for the next 7, and buddy, you can
make of that, what you will.
Summer reruns
Meanwhile, maybe you can write some new material, Harry.
What I said about Vista...
As I said in a previous post, telephones are responsible for billions of dollars of losses to scams a year, and have been for a lot longer than 7 years, yet I don't think it's because they have unpatched flaws, it's because of the people who use them.
My guess is that a lot of the money you refer to being lost due to Windows is in a similar situation - people who just fall prey to a scam, and would regardless of the platform they had.
That's on top of the fact that most users know a lot more now about the Internet and it's dangers than they did 5, 6, 7 years go, so comparing what's going on now to the past isn't very accurate.
Back to the topic of the original post, comparing the bulletins issued by MS, the maker of the two OSs who probably wants to make their new OS which has a bad rep look good, may not be the most objective data to use. And again, who knows what they [i]haven't[/i] found?
get your blog (NT)
Just to pick one of your points...
Windows in this incestuous loop of "self competition".[/i]
Well, part of the reason is that one of the main arguments the very vocal anti-Vista have against Vista is XP, and this is something that has been brought up again and again. This has created the atmosphere of "self-competition" and so to then turn around and use that as one of your bases of criticism seems a bit silly.
Same Experience So Far
The people I know that upgraded to Vista have literally stopped calling me every few weeks or so to fix their systems. I think UAC is starting to get regular users to actually think about what they are clicking yea to. It has to be actually changing the behavior of regular users because the only thing standing in the way of what they did before (indiscriminately install crappy malware/spyware loaded software found on the web.) is the UAC prompts.
Regardless of what some say, I truly believe those prompts are getting people thinking about what they are actually doing.
Although the UAC prompts maybe
Same hear two machines at home (knock-knock)...nt
Agrees... <nt>
RE: 21 months later, Vista is still more secure than XP
.....
While I agree with the article...
Or for that matter, any actual evidence needed.
Oh wait, sorry, I didn't see it was Loverock. Proceed.