Must Read: Apple to Congress: We do not use 'tax gimmicks'

Topic: Operating Systems

XP, Vista, or Windows 7: Which OS is more secure?

Summary: Over the past couple years, I've been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. My metric is a simple but effective one: count the number of Microsoft Security Bulletins rated Critical or Important for different Windows versions over time. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it's been released to manufacturing? I've got this year's numbers

Ed Bott

By for The Ed Bott Report |

Over the past couple years, I’ve been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. (To catch up with previous installments, see October 2007, “One year later, Vista really is more secure,” and July 2008, “21 months later, Vista is still more secure than XP.”)

My metric is a simple but effective one: count the number of Microsoft Security Bulletins rated Critical or Important for different Windows versions over time. In both previous installments, Vista had a significant edge edge over XP, with far fewer updates required. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it’s been released to manufacturing?

The answer to both questions is yes.

It’s far too early to make definitive judgments about the relative security of Windows 7, but Microsoft’s shiny new OS had a banner first month. A total of eight Microsoft security bulletins were aimed at various Windows versions. Three of them were rated Critical for both Windows XP and Windows Vista, even with the most recent service packs. Another two security updates were rated Important for Windows XP and Moderate for Windows Vista.

But for all eight of the August 2009 security updates, Windows 7 and Windows Server 2008 R2 were listed under the Non-Affected Software heading. Not a single one of those security holes required patching in the new OS.

That’s the same pattern that Windows Vista established when it was new. And Vista has maintained its safer-than-thou reputation in the past year. I went through every single security bulletin Microsoft published for the past 12 months, from September 2008 through August 2009. The totals?

Windows XP: 22 Critical, 16 Important

Windows Vista: 18 Critical, 11 Important

That’s a 24% reduction in the number of patches rated Critical or Important—the kind that typically involve remote code execution or escalation of privileges. Or, to put it another way, that’s 3.2 patches per month for XP and 2.4 patches for Vista. (And the next time someone complains about the number of patches they have to install for Windows, be sure to show them that number: 2.4 patches per month, delivered automatically on the first Tuesday of each month, isn’t exactly overwhelming.)

So what’s the difference? Security Bulletin MS09-032 is typical:

This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. … 

This security update is rated Critical for all supported editions of Windows XP….

That vulnerability doesn’t exist in Windows Vista or in Windows 7. And both of those newer operating systems have an additional advantage. As the bulletin notes: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working.

Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

250 comments
Log in or register to join the discussion

  • RE: XP, Vista, or Windows 7: Which OS is more secure?

    The writer obviously needs a lesson in Microsoft security if his reason for calling Vista more secure than XP is "You have to patch it less". Microsoft is known for keeping things secret from the public, just not acknowledging them or just taking their sweet time fixing things. The ActiveX component that he's talking about, it took MS around a year to solve that issue.

    http://www.examiner.com/x-14651-Minneapolis-Information-Technology-Examiner~y2009m7d9-Microsoft-acknowledged-this-latest-ActiveX-bug-a-year-ago-so-why-isnt-it-fixed

    So according to the writer's opinion, this issue didn't count as a security issue because it wasn't fixed until now. If he were to say, go out and really do some research, then I might be able to determine if he's creditable or not. From my stand point here in the field, he's not.

    Here's some proof: Do you know that the Windows Logon Screen Saver is a security flaw? It is, simply shutdown Windows, and either use a Windows Recovery CD, or put your hard drive into another system. (FYI, this assumes you don't have the password for a system that has a password; Google is your friend if you need help, Yahoo and Bing are sales people) Rename C:\windows\system32\logon.scr to logon.scr1 (back it up to hide your trail). Then copy cmd.exe to logon.scr and restart the computer. Wait about 5-15 minutes for the screen saver to appear and viola, you have a command line. When you're done, use the Recovery CD again, or put the hard drive in the other computer again and then delete logon.scr and then rename logon.scr1 to logon.scr and reboot.

    You can do this with any other program you want as well, say another command line program if yours doesn't want to work properly. The command prompt will give you System access so you can play with almost anything out there. When it loads up, type in Explorer to get the shell, but keep in mind, Explorer will kill itself usually, but the command prompt will still be there (Alt+Tab is your friend here). This is a security flaw, and is there a patch to it yet?

    I'm a computer technician, and I've used this to get into several computers. Some with viruses, some with idiot users.

    If the screen saver ran with Guest or Limited permissions, then yeah it could be seen as a non-issue, but it's running as SYSTEM. You can edit the registry so that when an Admin logs on, you can run a malicious program that will take over the system, and it will have Admin access.
    SomeCritic
    Reply Vote

    • ok, right

      so hackers coming at you from the internet are really going to be able to put the windows recovery CD in your drive or, better yet, get your hard drive and install it into their system... right that's what is going to happen.

      Any computer system where someone has physical access to it is toast...
      ozguy
      Reply Vote

      • Actually...

        most modern servers (HP, IBM, Dell) have remote LOM, and most LOM systems allow you to set up a virtual (remote) DVD drive. If your LOM password is weak it's not that difficult to do.
        As to your statement: [i]"Any computer system where someone has physical access to it is toast... "[/i]
        Untrue. Solaris 10 with Trusted Extensions, if set up properly, cannot be hacked from the keyboard short of a complete reinstall (ask me how I know), which technically isn't hacked, just blown away. The lesson I learned is make sure all your policies are in place and work as expected before activating trusted extensions.
        [edited to fix a typo]
        914four
        Reply Vote

    • Seriously?

      You're saying that Windows is insecure because it can be compromised if an attacker has physical access.

      Name one standard OS that CAN'T be compromised under the same situation (attacker has direct physical access to the server). One.
      alkanshel
      Reply Vote

      • Solaris 10

        Once you've activated Trusted Extensions.
        Just be careful, once you've turned it on you can't turn it off.
        914four
        Reply Vote

      • Drive encryption.

        Any OS that offers drive encryption.

        Windows Vista/7 with bitlocker.

        Any OS with TrueCrypt.
        CobraA1
        Reply Vote

    • Easier Way

      It is much easier if you ar trying to access a Windows XP Home computer to just boot into safe mode. The log in screen will show the Administrator account which is not password protected. Just click on the Administrator icon and you will go right in. If the user has password protected the Admin account, you will be stopped. How many people know to boot XP home into safe mode and put a password on the Admin account. I suspect the Admin account is hidden and has no password so Microsoft could help users get back into their system if they forget their password.
      Boykin01
      Reply Vote

      • Or boot from a flash drive

        ...Which can get you root for Linux, IIRC. Haven't tried it with Windows, but it's probably possible.
        alkanshel
        Reply Vote

    • That's not proof

      This has nothing to do with physical security. As the others have said, if you have in-person access to a box, it can pretty much be considered compromised.

      This is why encryption is still necessary, and the encryption software makers of the world still turn a profit.
      beoz
      Reply Vote

    • Actually...

      Uhm AppLocker, BitLocker, UAC, etc are pretty good protection systems that all of the others lacks of, inform yourself
      keoz
      Reply Vote

    • Trolling again Ed???

      You got them going again, as usual
      Mark Grobler
      Reply Vote

      • Seems it takes very little

        to get the bashers going on here
        JasonJD48
        Reply Vote

        • That is GOD'S OWN TRUTH!!!

          [i][b]"Seems it takes very little to get the bashers going on here "[/b][/i]
          --JasonJD48

          You should see the threads when the subject of open source software comes up! Absolutely unbelievable.
          nbahn
          Reply Vote

          • For the record...

            I love open software, being of limited means, I couldn't do a lot of what I do without the programmers who put in their time and energy for free

            I just happen to like Windows, and I just happen to like using IE for somethings.
            JasonJD48
            Reply Vote

    • Oh, please . . .

      "The writer obviously needs a lesson in Microsoft security if his reason for calling Vista more secure than XP is 'You have to patch it less'."

      I think it's a decent measure. It gives you an idea of how much a system is likely to be affected by potential security threats. Most threats are going to be from the Internet, not from a local repair shop.

      "simply shutdown Windows, and either use a Windows Recovery CD, or put your hard drive into another system."

      This is an extremely rare worst case scenario. You need physical access to the system to perform such an attack.

      If somebody is going [b]THAT[/b] far to grab your data, then all Linux, UNIX, and MacOS systems are vulnerable as well. The only thing that will protect you from that type of attack is an encrypted drive.
      CobraA1
      Reply Vote

  • Without reading the article first:

    I can say it *ain't* XP :P
    The one and only, Cylon Centurion
    Reply Vote

  • Reasonable metric?

    I think a better metric would be the total number of exposure days based on when the flaw was found until the flaw was patched. It complicates the calculation but it reflects the stability of the operating system. So one flaw that took six months to fix would be the same as six flaws that took one month to fix. Obviously there are other considerations, but I'm still impressed with other systems or browsers that respond much more quickly (i.e. Mozilla, etc.)
    rgod8855
    Reply Vote

    • Apples and Oranges

      You're mixing fixes with time to fix.
      One is a "hole"
      One is response time

      Kind of like crime.
      - how safe is my neighborhood?
      - what is the local police response time?

      My first choice is safer.

      rhonin
      Reply Vote

    • Re: Reasonable metric

      Another metric worth considering is to do Ed's counting for the same number of days since release of the OS, not the same calendar time period. Attackers of Windows XP versus Windows Vista have a much larger target group to attack and thus more incentive to go after it, and they have had much more time to scout it out. A 20-25% difference as indicated by Ed's numbers appears fairly unsurprising from this point of view.
      Railroad Buff
      Reply Vote

      • Not so

        Much more important is the development environment. Many of the patches described here affect core components of the OS or associated apps. The example I gave is a perfect example. The core code in XP had a flaw, whereas the core code developed for Vista and 7 does not. Same exact attack vector, higher-quality code.

        Much of this has to do with the Secure Development Lifecycle, which eliminates potential vulnerabiliies as part of the development process.
        Ed Bott
        Reply Vote
CNET Join | Log In | Privacy | Cookies Close