The writer obviously needs a lesson in Microsoft security if his reason for calling Vista more secure than XP is "You have to patch it less". Microsoft is known for keeping things secret from the public, just not acknowledging them or just taking their sweet time fixing things. The ActiveX component that he's talking about, it took MS around a year to solve that issue.
http://www.examiner.com/x-14651-Minneapolis-Information-Technology-Examiner~y2009m7d9-Microsoft-acknowledged-this-latest-ActiveX-bug-a-year-ago-so-why-isnt-it-fixed
So according to the writer's opinion, this issue didn't count as a security issue because it wasn't fixed until now. If he were to say, go out and really do some research, then I might be able to determine if he's creditable or not. From my stand point here in the field, he's not.
Here's some proof: Do you know that the Windows Logon Screen Saver is a security flaw? It is, simply shutdown Windows, and either use a Windows Recovery CD, or put your hard drive into another system. (FYI, this assumes you don't have the password for a system that has a password; Google is your friend if you need help, Yahoo and Bing are sales people) Rename C:\windows\system32\logon.scr to logon.scr1 (back it up to hide your trail). Then copy cmd.exe to logon.scr and restart the computer. Wait about 5-15 minutes for the screen saver to appear and viola, you have a command line. When you're done, use the Recovery CD again, or put the hard drive in the other computer again and then delete logon.scr and then rename logon.scr1 to logon.scr and reboot.
You can do this with any other program you want as well, say another command line program if yours doesn't want to work properly. The command prompt will give you System access so you can play with almost anything out there. When it loads up, type in Explorer to get the shell, but keep in mind, Explorer will kill itself usually, but the command prompt will still be there (Alt+Tab is your friend here). This is a security flaw, and is there a patch to it yet?
I'm a computer technician, and I've used this to get into several computers. Some with viruses, some with idiot users.
If the screen saver ran with Guest or Limited permissions, then yeah it could be seen as a non-issue, but it's running as SYSTEM. You can edit the registry so that when an Admin logs on, you can run a malicious program that will take over the system, and it will have Admin access.
Over the past couple years, I’ve been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. (To catch up with previous installments, see October 2007, “One year later, Vista really is more secure,” and July 2008, “21 months later, Vista is still more secure than XP.”)
My metric is a simple but effective one: count the number of Microsoft Security Bulletins rated Critical or Important for different Windows versions over time. In both previous installments, Vista had a significant edge edge over XP, with far fewer updates required. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it’s been released to manufacturing?
The answer to both questions is yes.
It’s far too early to make definitive judgments about the relative security of Windows 7, but Microsoft’s shiny new OS had a banner first month. A total of eight Microsoft security bulletins were aimed at various Windows versions. Three of them were rated Critical for both Windows XP and Windows Vista, even with the most recent service packs. Another two security updates were rated Important for Windows XP and Moderate for Windows Vista.
But for all eight of the August 2009 security updates, Windows 7 and Windows Server 2008 R2 were listed under the Non-Affected Software heading. Not a single one of those security holes required patching in the new OS.
That’s the same pattern that Windows Vista established when it was new. And Vista has maintained its safer-than-thou reputation in the past year. I went through every single security bulletin Microsoft published for the past 12 months, from September 2008 through August 2009. The totals?
Windows XP: 22 Critical, 16 Important
Windows Vista: 18 Critical, 11 Important
That’s a 24% reduction in the number of patches rated Critical or Important—the kind that typically involve remote code execution or escalation of privileges. Or, to put it another way, that’s 3.2 patches per month for XP and 2.4 patches for Vista. (And the next time someone complains about the number of patches they have to install for Windows, be sure to show them that number: 2.4 patches per month, delivered automatically on the first Tuesday of each month, isn’t exactly overwhelming.)
So what’s the difference? Security Bulletin MS09-032 is typical:
This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. …
This security update is rated Critical for all supported editions of Windows XP….
That vulnerability doesn’t exist in Windows Vista or in Windows 7. And both of those newer operating systems have an additional advantage. As the bulletin notes: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working.
