One year later, Vista really is more secure

One year later, Vista really is more secure

Summary: Windows Vista was released to manufacturing a year ago next week, and landed on retail shelves exactly nine months ago today. At the time, Vista head honcho Jim Allchin predicted that the number of security patches required for this version of Windows would go way down compared to its predecessor. So, was he right?

SHARE:

Windows Vista was released to manufacturing a year ago next week, and landed on retail shelves exactly nine months ago today. To mark the occasion, I dragged a system out of mothballs and installed the original RTM version of Vista Ultimate on it. (Well, OK, I also needed a test bed for some upcoming work, but still...)

Anyway, I was surprised to see that the automatic update process picked up only 35 updates totaling 93.9 MB in size. That's an average of fewer than four updates per month. And the number drops to fewer than three per month if you start counting with the original release to manufacturing date, which will mark its one year anniversary next week.

Jim Allchin, who led the Vista development and launch, is probably feeling at least somewhat vindicated today. After all, he predicted in an interview with PC World that patch counts would go way down with Vista:

"In my opinion, it's the most secure system that's available and the most secure system we have shipped," he said. This means the number and severity of security updates Microsoft must release every month on Patch Tuesday, the name security researchers have given for when Microsoft releases its monthly security patches, should be reduced, Allchin said.

"That can be proven," he said of his patch prediction. "We will see about that."

The lineup of patches for October 2007 offers some instructive examples. MS07-55 was a Critical update for Windows XP SP2 but didn't apply at all to Vista. MS07-56 was rated Critical for XP SP2 but was only Important for Vista. (For an explanation of the differences, see this page.)

And those 35 patches weren't all security related, either. Some were reliability and compatibility fixes. There are updates to the Windows Mail Junk Mail filters, and in the case of this system at least one driver update. So how does Vista measure up to its predecessor if you filter out all but security updates? Out of curiosity, I went to the Microsoft Security Bulletin Search page and looked for Critical and Important bulletins issued in the past year. Here are the results:

  • Windows XP with SP2: 41
  • Windows Vista: 14

That's almost as thorough a drubbing as the Patriots gave the Redskins last weekend. Microsoft has taken a lot of flak for Vista, but these results, in my opinion, validate the Security Development Lifecycle process, which was and is at the core of Vista's design and evolution.

Topics: Software, Microsoft, Operating Systems, Security, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

283 comments
Log in or register to join the discussion
  • So, let me get this straight...

    Less patches released = more secure? Wow, I'd like to release my own operating system based on that premise. I'll be sure to put you on the top of my sales calls and promise to only release one patch per month for you.....
    jparrott1
    • Vista security

      Is there evidence that there are a lot of security holes that Microsoft isn't addressing yet with Vista? True, this is only one measure, but if we take other things to be equal, this is a positive sign on the surface. I don't think we should keep promoting the idea that Microsoft products won't ever reach a level of security that home users and enterprises won't be happy with. thehub.rasmussen.edu
      jimmccormick
      • Well...

        Just drive on by securityfocus.com to see what issues can affect Windows Vista. I believe (but could be wrong) that Vista "Gadgets" are to blame for most of the potential or actual issues.
        ego.sum.stig
        • lol, I knew

          there had to be some benefit to shutting that thing off!
          Badgered
        • The lazier MS with security updates-the more secure is OS. It's logical (NT

          (NT)
          FX512
          • True, that is what Ed is suggesting

            Ed's law of security:
            Less patches = more secure

            Interesting to see such post surfaced in this highly rated tech forum. It might be time to either remove postings from people like Ed or simply move onto another forum to save my time.
            laman
          • Bye!

            Like you will be missed or somethin!
            andrej770
          • Which would you rather have?

            OSX has hundreds of patches and few attacks.
            Vista has had few patches and few attacks.

            OSX users are at the mercy of malware authors because the vulnerabilities [b]ARE[/b] there (based on numerous patches).
            Vista users are safe [b]despite[/b] the fact that malware authors would [b]love[/b] to attack but can't, because there are few vulnerabilities (hence few patches).

            I don't know about you but if I had the choice between 2 OSs that were rarely attacked, I would choose the one with fewer patches. At least then I know that my security is in [b]my[/b] hands instead of the hands of evil, wicked people. However, if you choose to put your safety into the hands of the Russian mob, be my guest!!

            snicker, smirk :)
            NonZealot
          • The number of patches NEVER reflects real security.

            Security is what it takes for a typical skilled hacker to get in.

            E.g. in the past ZDNet published a proven fact (by witnesses) - hacking Windows in a bank and transferring stolen money to another bank account took less than 10 minutes. IN A BANK!!!!

            As you understand, information how to do it and how many holes and where ... is not publicly available.

            Thus, if you want to know how secure is your OS ? ask hackers, not Ed.
            U525
      • Message has been deleted.

        i8thecat
      • When MS, against user's will, installs/deletes/copies whatever MS wants...

        ... Vista (Windows) is the MOST insecure OS ever.

        Microsoft is No. 1 hacker.

        Your valuable data is ALWAYS in great risk if you run Windows.

        For example, right after 9/11 G.W. Bush made a statement that the government will work with Bill Gates to find terrorists. Logically it means that the only way Bill Gates can do it - hacking through secret holes in Windows.
        Hot379
    • Hmmm, if my car needs fewer repairs...

      Then yeah, its is more reliable.
      No_Ax_to_Grind
      • *ahem*

        Or... it's reached the point of being unrepairable. In that case it needs very few (actually no more) repairs, it's about as dead as a Norwegian Blue parrot.
        ego.sum.stig
        • silly poster, my Windows doesn't need repairs.

          Works fine for me and 95% of the world. Wonder why you have so many problems???
          No_Ax_to_Grind
          • So...

            You're using a product that is no longer repairable? Race on.

            That and I don't have any problems that matter, other than wanting supercars that I can't afford, and that people won't let me borrow for an indeterminate amount of time to *ahem* test them.

            Ah well, back to trying to model this annoying stream flow thingy. I wish I was driving in Scotland.
            ego.sum.stig
          • Message has been deleted.

            ItsTheBottomLine
          • Message has been deleted.

            ego.sum.stig
          • stable

            i think vista is pretty stable had it sice release and did alot of tweeking im happy
            thomaswort
          • Yes, well...

            Vista's stability or whatever, well that's not the point. It's kind of a stress reliever messing with what passes for the minds of xunil, noaxe and the rest. They are so far gone they don't even notice.
            ego.sum.stig
          • "Works fine"

            In indication of how successful MS has been in **lowering** the expectations of how computers should work for many folks, especially those with MS** certifications.
            Mike Cox, Sr.