Over the past couple years, I’ve been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. (To catch up with previous installments, see October 2007, “One year later, Vista really is more secure,” and July 2008, “21 months later, Vista is still more secure than XP.”)
My metric is a simple but effective one: count the number of Microsoft Security Bulletins rated Critical or Important for different Windows versions over time. In both previous installments, Vista had a significant edge edge over XP, with far fewer updates required. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it’s been released to manufacturing?
The answer to both questions is yes.
It’s far too early to make definitive judgments about the relative security of Windows 7, but Microsoft’s shiny new OS had a banner first month. A total of eight Microsoft security bulletins were aimed at various Windows versions. Three of them were rated Critical for both Windows XP and Windows Vista, even with the most recent service packs. Another two security updates were rated Important for Windows XP and Moderate for Windows Vista.
But for all eight of the August 2009 security updates, Windows 7 and Windows Server 2008 R2 were listed under the Non-Affected Software heading. Not a single one of those security holes required patching in the new OS.
That’s the same pattern that Windows Vista established when it was new. And Vista has maintained its safer-than-thou reputation in the past year. I went through every single security bulletin Microsoft published for the past 12 months, from September 2008 through August 2009. The totals?
Windows XP: 22 Critical, 16 Important
Windows Vista: 18 Critical, 11 Important
That’s a 24% reduction in the number of patches rated Critical or Important—the kind that typically involve remote code execution or escalation of privileges. Or, to put it another way, that’s 3.2 patches per month for XP and 2.4 patches for Vista. (And the next time someone complains about the number of patches they have to install for Windows, be sure to show them that number: 2.4 patches per month, delivered automatically on the first Tuesday of each month, isn’t exactly overwhelming.)
So what’s the difference? Security Bulletin MS09-032 is typical:
This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. …
This security update is rated Critical for all supported editions of Windows XP….
That vulnerability doesn’t exist in Windows Vista or in Windows 7. And both of those newer operating systems have an additional advantage. As the bulletin notes: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working.