90-day report card: Windows Vista fared better than competitors

90-day report card: Windows Vista fared better than competitors

Summary: Ninety days after the release of Microsoft's Windows Vista to business customers, the new operating system has a much better security vulnerability profile than its predecessor and several other modern workstation operating systems including Red Hat, Ubuntu, Novell and Apple products.That's according to Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group.

SHARE:

Ninety days after the release of Microsoft's Windows Vista to business customers, the new operating system has a much better security vulnerability profile than its predecessor and several other modern workstation operating systems including Red Hat, Ubuntu, Novell and Apple products.

That's according to Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group.

Vista 90-day security report

Jones has published a 90-day report card (.pdf), stacking up flaws reported and fixed in Vista against vulnerabilities covering during the first 90 days of Windows XP, Red Hat Enterprise Linux 4 WS, Ubuntu 6.06 LTS, Novell SUSE Linux Enteprise Desktop 10 and Mac OS X 10.4 (Tiger).

During the period under review, Jones said Microsoft shipped a solitary security bulletin affecting Vista users -- MS07-010, which covered a remotely exploitable hole in the Microsoft Malware Engine.  He also called attention to four other reported Vista bugs that remain unpatched, one carring a "high risk" rating.

By comparison, during the first 90 days after Windows XP shipped, Jones research showed that Microsoft patched a total of 14 vulnerabilities, 8 rated critical.  "At the end of the 90 day period, a total of 4 publicly disclosed [Windows XP] vulnerabilities did not yet have a patch available from Microsoft," Jones said.

Regarding Red Hat Enterprise Linux 4 Workstation (rhel4ws), Jones said the open-source vendor fixed a total of 181 vulnerabilities, 58 rated "high severity" by the U.S. governments National Vulnerability Database.  He acknowledged that many of these bugs covered components that Red Hat ships and supports as Red Hat Enterprise Linux 4 WS, noting that it might be construed as "unfair" to count those.

However, even with RHEL4WS reduced component set, Jones said:

The reduced rhel4ws set of components had 86 vulnerabilities already publicly disclosed prior to general availability. Patches available on the first day of ship addressed 34 of these.

  • During the first 90 days, Red Hat fixed 137 vulnerabilities affecting the reduced rhel4ws set of components. 40 of those addressed were High severity.
  • At the end of the 90 day period, a total of 64 publicly disclosed vulnerabilities in the reduced set of components did not yet have a patch from Red Hat.
In the first 90 days after Apple's Mac OS X v10 shipped, Jones showed that Windows Vista fared much better, arguing that the data does not support Apple's marketing stance that the Mac OS X does not have the same security issues that face other operating systems.

Specifically, Jones reported that:
  • Mac OS X v10.4 had 10 vulnerabilities already publicly disclosed prior to the April 29, 2005 ship date and Apple provided fixes for 4 of these during the first 90 days after ship. Four of the vulnerabilities were High severity.
  • During the first 90 days, Apple fixed a total of 20 vulnerabilities affecting Mac OS X v10.4, of which 8 were rated High severity in the NVD.
  • At the end of the 90 day period, there Mac OS X v10.4 still had 17 publicly disclosed vulnerabilities that did not yet have a patch from Apple.

He also provided comparable numbers for Ubuntu 6.06 LTS and Novell's SUSE Linux Enterprise Desktop 10 (SLED10) to show that Vista's security vulnerability profile was noticeably better.

Topics: Security, Apple, Linux, Microsoft, Open Source, Operating Systems, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

228 comments
Log in or register to join the discussion
  • How can you conclude anything?

    Yes I'm a business customer. Yes I have Vista. I have it installed on a total of one computer. It runs none of my current software correctly. At this point I'm staying on Xp and waiting to see what develops with Vista. I'm sure everyone is taking the same approach. It will be years before you can judge or analyze Vista's impact on business. Currently it has no impact.
    DemonX
    • Added to that

      fact that you can't run your current Windows apps. One must also compare with the current provider. That is Microsoft.

      All I can conclude from the little graph is that Microsoft products are the best within 90 days. Particularly when compared with Linux distros.

      It can also be seen that Windows Vista is about three times better than XP in the first 90 days (aprox 33% of the vulnerabilities XP had). We all know how bad XP was after 90 days and up to SP2. To all those standing proud now. What makes you think Vista will be any better?

      To me 33% of really bad is still pretty bad.
      Saurondor
      • Seems you didn't notice

        The the other alternatives, Ubuntu Linux and Apple OS X were even worse than XP. So, it's reasonable, in fact responsible, to report Vista is the safest OS on the market today. <br>
        I think the years of propaganda and spin from the OSS crowd, that is getting split down the middle by licensing wars, has finally made you believe it's true? Linux has been buggier than XP for years. FF buggier than IE for a long time now. <br>
        Apple is not all that much better than Linux, so take heart. <br>
        And it's pure BS about Vista in the workplace. The commenter aboved applied his own experience to the world. There are multiple 30,000+ shops that have come up on Vista. Clearly enough to settle this debate, worldwide. <br>
        And guess what, more good news. The numbers used to measure Microsoft OSes in the past, such as XP, were done using different methods than have been applied to Vista. This means that by the end of March, we may see that Vista is actually outpacing XP at this point in time after it's release. It's very possible and probable. The sales are starting to climb. Office 2007 is selling way ahead of office 2003 and high end hardware is going out the door at a 3 digit percentage rate over last period, last year.
        Move over bloated and buggy Linux and OS X, the best is in town, and Vista is here to stay!!
        xuniL_z
        • Notice what?

          You still fail to counter the point in my argument. That is that XP had way less flaws in this report yet over 6 years had a worse overall track record. What makes you think Vista won't be the same? It's the same old story with Microsoft. Spin spin spin. And many are not buying into it this time around.
          Saurondor
          • I did counter you.

            Since SP2, XP has been stable and a solid OS. Better than Linux in regards to security. Vista builds on top of XP SP2 and adds even more security, so it clearly follows it's going to be more secure. IE running in protected mode has proven itself already as way more secure than FF. IE 6 or 7, running on XP is more secure than FF. <br>
            I think the only thing people are "buying" this time around is some hesitation from the relentless propoganda and lies that have been pumping out of FSF and Apple and others. A non profit organization going on a smear campaign. How nice. I can see why Torvalds doesn't want anything to do with those fanatics who want to control Linux with an iron fist in GPLv3. It would attempt to force hardware patents to be revealed, it would pretend to be the knower of evil and make the MS/Novell partnership illegal under the license. Just over the top stuff you expect from radicals. <br>
            I do agree with Stahlman on one point and I've taken a lot of heat for even mentioning Google has altered Linux code and even more heat for syaing they are breaking the spirit of the license. Well, your beloved Mr. Stahlman agrees with me, or I agree with him, whatever, 100%. A product being a "service" should NOT be a loophole allowing a company to not share it's code back. Google has altered Linux a lot and it's the linux they use for the search engine and other applications including desktop I"m sure. Why would that be exempt from the GPLv2 language even. ONly because it's not packaged software and technically installed (although some of it is) in a traditional way, Google can hoard and patent the heck out of Linux code w/o sharing on iota. And the OSS community here on zdnet, by and large, supports that idea and Google. They have to decide which way to go. With Linux or Stahlman. The happy little universe is starting to develop a fault line that is getting bigger and bigger.
            xuniL_z
          • Hey Linux_Z - why don't you just kiss MS's ass and be done with it.

            Tired of reading your 'I am not making enough from my stock purchase' crap.
            nomorems
          • You didn't

            I agree with your opening statement. I agree that Vista is better than XP. Even if the better security is at the expense of less usability. My point is that XP hell came to be after the first 90 days and up to SP2. My point goes further to say that the fact that an OS has less problems in its first 90 days has nothing to do with the problems it will bring in the next 2100+ days. That is exactly the point you failed to counter. Namely the future. Which is the one that matters to me most and I'm sure it matters a lot for a whole lot of people too.

            The graph only proves that Vista had less detected flaws in its first 90 days than XP which in turn had less flaws detected than any other OS on the graph. That advantage in the first 90 days did not do anybody any good down the road. As we all lived through a great series of problems in the following 2100+ days.

            I'm very hard pressed to believe there will be an improvement vs other OS down the road. Microsoft has showered us with press releases and memos from Bill Gates himself on security initiatives which have held no truth. It's been years after the so called Trustworthy Initative by Gates. What do we have to show for that? Vista? UAC? Time will surely tell, but for the moment being you have failed to counter my point. Unless of course you have a De Lorean parked outside your house and are party to some future events we are not aware of.

            Regarding the whole Google stuff. Who cares? What does that have to do with Vista and my desktop's or laptop's security? Please stay on topic or open your own blog on the matter.
            Saurondor
          • Then I'll counter it

            [i]I'm very hard pressed to believe there will be an improvement vs other OS down the road.[/i]

            I think there will be a degree of improvement for some people and absolutely no improvement for others.

            Vista will improve things for people with common sense but without much computer security experience. Microsoft's strategy with XP was to remove all vulnerabilities and that is a strategy that will always fail. If Vista was just XP with the promise of fewer vulnerabilities, I would agree with you that nothing will change. That isn't the case though. Microsoft's strategy with Vista is to remove all vulnerabilities (duh) but to mitigate the damage of the vulnerabilities that they [b]will[/b] miss. The sad thing is that XP was more than capable of this but MS was afraid of the consumer backlash from people who don't understand why they need to approve actions that could potentially damage the system. From the FUDders reaction to Vista, it looks like MS was right to be afraid but wrong to delay.

            Vista won't be any more secure for people who absolutely must download and install every single little neat-o program that they find or is emailed to them. The OS can only warn a person once that they are about to run something that came from an unknown source, then again to warn them that the application is trying to do something that could potentially damage the system and then it has to obey the administrator's wishes. These people will get infected by the 236,000 socially engineered trojan horses that are out there right now. The alternative (something Apple is doing with the iPhone) is to simply take away the user's ability to decide if something is a good program or a bad program and create an OS that will only run MS approved software. Do you want that? I don't.

            So yes, I think things will get better for users with common sense because Microsoft's strategy for secure computing has changed. Is it late? Yes. Is it new? No, and I'm not trying to claim either. However, will there still be 236,000 (and rising) exploits targeting Windows? Absolutely. Wait, let me change that. Will there still be 236,000 (and rising) exploits targeting stupid Windows [b]users[/b]? Absolutely. And the Mac zealots will jump on that one number and ignore the reality of the situation.
            NonZealot
          • Still waiting NonZealot

            You must have cut your post short or something because I missed the counter point. You got to the part that Vista users will have less problems than XP users. That is quite clear from the graph.

            Yet today a Mac user has less everyday problems than a Windows user. Even though Mac had more vulnerabilities in the first 90 days. It is clear from your post that Vista offers more security than XP, but given XP's need for improvement it means very little.

            To make it simple. To counter my argument you have to show us that Vista will have less problems than OS X or Linux down the road. Because XP had less problems than OS X or Linux in its first 90 days, but later performed worse than the two other products put together.

            Given Microsoft's track record of loud speak and poor delivery of real secure solutions I'm doubtful you or anyone will be able to prove that.
            Saurondor
          • You've changed your question

            [i]To make it simple. To counter my argument you have to show us that Vista will have less problems than OS X or Linux down the road.[/i]

            Huh? That wasn't your original question. Your original post asked why Vista was going to be better than XP, not OSX or Linux:
            [i]We all know how bad XP was after 90 days and up to SP2. To all those standing proud now. What makes you think Vista will be any better?[/i]

            I was answering your original question, not a question that you hadn't posed yet. Sorry, I can't read your mind! I was listing the reasons why I believe Vista will be better than XP, just like you asked. Microsoft has gone from relying on vulnerability free code to mitigating the vulnerabilities that will appear in Vista. It is that change in strategy that makes me believe Vista will be better than XP (which was your original question).

            I'll address your brand new question though. Why does Vista have to have [b]fewer[/b] security problems than OSX or Linux? Since both those OSs are invulnerable (or so the zealots tell us), I'd settle for Vista having the same number of problems. That way all Windows users get the advantage of being able to buy their hardware from whomever they want (unlike OSX which forces me to use incredibly overpriced and inferior Apple hardware), the advantage of being able to play every game on the market (something Linux and OSX can't do right now), while being invulnerable to all exploits (like OSX and Linux). Why wouldn't I choose the OS that had the same security as the others but also gave me freedom of hardware and software? Of course, not much will change for me since I'm currently invulnerable (using the Mac zealot definition of the word) to all exploits on XP but for those that don't know how to remove their admin privs and use Run As, Vista is a step forward. Actually, it is an improvement for me too since UAC is easier to use in most cases than Run As.
            NonZealot
          • I didn't change a thing

            To quote myself:

            "It can also be seen that Windows Vista is about three times better than XP in the first 90 days (aprox 33% of the vulnerabilities XP had). We all know how bad XP was after 90 days and up to SP2. To all those standing proud now. What makes you think Vista will be any better?

            To me 33% of really bad is still pretty bad."

            The question is "What makes you think Vista will be any better?". Which implies "better than OS X or Linux". Because two sentences before that I had clearly said that Vista was better than XP. So the [b]implied[/b] subjects I'm comparing Vista with must be the other OSs in the graph.

            Oh and please don't give me a spin on this post. Because it would only show us that supporters like yourself and xuniL_z still have doubts that Vista is better than XP. Just the hint from anyone that I was talking about XP in that question indicates a doubt in the improvement capacity Microsoft might have in one of its flagship products.

            BTW your answer to this question in itself is questionable because you try to justify it with exactly that which is being questioned. "Since both those OSs are invulnerable (or so the zealots tell us)", is the only line you give us to back up that Vista will be as secure as Linux or OS X. But that is exactly what is being questioned here. That is the lines being given to us by zealots like xuniL_z. Who replay Microsoft's press releases again and again.

            Let us stand back an see what history shows us. XP had less vulnerability in the first 90 days, but a terrible track record after that. So if you bought a PC in the first 90 days of XP you were fine as long as you sold it and got a Mac afterwards. Otherwise, like most of us did, you went through security hell and back.

            Oh, BTW I have a friend who installed and uninstalled Vista on the same day. Seems his ATI video card didn't have drivers for Vista. His Kubuntu runs fine with dual head and all.
            Saurondor
          • Here is the deal...

            you can have total security, or total freedom, or somewhere in the middle. MS is trying to strike a happy balance. Security is not everything, as you suggest. Yes the post is about security and Vista shows great improvements but nobody can guarantee the future. Apple just released a MegaPatch for 45 seperate vulnerabilities. That is a year later, so it appears Apple's track record is not improving. You look at Mozilla and Linux over the last year and you'll not see anything better than Windows there either. Windows is the one that is actually trending the best over the last 2+ years. <br>
            that said, security is just one component. It's a law enforcement issue. I'd like to see some kind of initiative where ISPs are subsidized to do real time packet inspection if necessary. But they should all be checking for viruses. What kind of network relies on it's end points for ALL of it's security? The amount of traffic on the internet is 100s of times greater than it needs to be if most garbage was eliminated at the first of nearest hop on the internet from it's origin. Not after it's caused load on 100 segments and an end point is expected to stop it. Freedom doesn't come cheap. Look at 9/11. That is the price of freedom, but is security better than freedom, even with the price to pay? I don't believe so and Windows has always offered the most productive system you can get. Vista is the latest and coolest in their line of systems everyone can afford, from 500.00 to 3000.00. Choice of equipment is a huge benefit to me. Mac hardware, for example, is rated very much average by CNet and other review sites. Even a Gateway beats a Mac in the majority of benchmarks. Sure the Mac is more secure as it's a black box affair. But with that comes a loss of freedoms that most of us take for granted. As for Linux, they are fine. I just don't like the way they operate in many cases. Such as the FSF. They are so arrogant they dismiss the advice of Linux's creator like he was a nobody. The kernel will not be going to GPLv3, that we know. I think it's too unstable of an environment to bank the next 10 years on. That's just my opinion. I have used Vista now and it is awesome. I honestly think those that say it's slow or what's the big deal weren't using the same OS as I. It is very cool. And it offers a ton of solutions with it's lineup of integration ready state of the art software. It's smoothness betrays it's speed, almost like that of a tall fast athlete. They look like they are barely running, for example, but it's only because of their grace and in reality they are running faster than any competitor. The .NET 3.0 stack looks great and has a lot of potential. Office 2007 is selling very well, so business is buying Microsoft, they are just not moving to Vista yet in many cases. They will, the integrated search, the foundation classes, browser running in protected mode mitigating many issues XP had with IE, if not most or all of them. Programmers can rejoice since Vista was designed with programmers in mind moreso than any release of Windows to date, per Jim Alchin. <br>
            Again, I think Microsoft was slow implementing security, they had to be. the number of apps that built up starting on win95 happened so fast it was nigh impossible for Microsoft to keep, or at that point really understand the impact the internet would have in terms of drawing crime. Apple and Linux only appear to have had this foresight, but neither really did. The security model in both is something that was inherited many years ago, before many OSS advocate were even born. You cannot give up all freedoms for security, or there would eventually be no point in computing, if it's only purpose is a crime fighting tool. Like a free country, a computing platform has to weigh risks and strike a balance that allows it's people/users to retain as much freedom as possible.
            xuniL_z
        • More FUD right xunil ! Still living in denial huh ?

          Get the facts and go here

          http://blogs.zdnet.com/hardware/?p=324


          We were wondering where all of you cock-a-roaches were .
          Intellihence
          • Looks like you are way off topic

            This is about vulnerabilities and bugs. OS X has more than Windows, what can I say. It's true. No exploits for OS X, I'm happy for you. I need an OS I can accomplish things with however, and that's Windows. What Adrian says in that article is untrue as well. I've never had to stop and wait for update before working on my Windows machine. Not once ever. He's making that up. Should I turn into a Rick_K or nomorebrains and start calling him a "2 bit hack" of a journalist and a liar and on and on like the cult of Apple loyalists do? Nah. <br>
            But if he can prove when a Windows user ever cannot work directly upon startup, then he might have a truthful story. Otherwise it's nothing but an attempt to appease the out of control Apple zealots from George's story. Nothing more. He saw a need to get a mob of hateful lunatics under control, and he did his duty. Good job Adrian. Give OS X a glowing review and even a Mac zealot will temper his rage and insults and threats a bit from protecting his most precious love, OS X.
            xuniL_z
        • How's about market share?

          To me it looks like that hackers are not interested in Windows Vista since it does not have big market share.

          Why do they need to spend time on operating system that is virtually used by nobody?
          Solid Water
          • This is too funny!

            When that same argument is applied to Linux, you people go nuts saying it is irrelevent! It's nice to see logic taking over, now make the same argument when talking about XP vs linux!
            kodakmak
        • Except that:

          1. The Linux reports include [b]ALL[/b] apps, office, web servers, application servers, utilities and any other distro supplied package.

          Try that on any version of windows and let the hilarity ensue.

          2. OSS is alot more honest about reporting vulnerabilities, I see three windows apps that I found, reported and received a patched update for their perspective vulnerability in not listed by their companies, which isn't helping their current customers at all.
          Suicida|
        • Do you work for MS?

          You must work for MS or someone that works for them. Do you write ad copy for
          them? Do you come up with cute jingles and phrases like "...the best is in town, and
          Vista is here to stay!!" If not, then what's wrong with you? My god, it's an OS, and
          you're being a cheerleader (cheerleaders usually aren't all that bright). "Yay! Yay"
          Vista Go!!!!" I don't get it.
          dolph0291
          • Yes

            Yes.
            He does.
            tomm174@...
    • Dude Vista hasn't been around long enough to even get a grade .

      5 years from now , I want you to compare Vista security versus Mac OS X security today . 90 days as opposed to 5 years and counting . You people are real idiots if you are jumping for joy . GET REAL !!! It's no wonder many hate Microsoft . You never state the truth , get the facts straight . Try going to these resources and see that you have been blinded from the truth .

      http://blogs.zdnet.com/hardware/?p=324

      Even the NSA is stating that Mac OS X is far more secure than anything available today . Read below

      http://blogs.zdnet.com/Apple/?p=469


      You shills really are delusional . Mikey (Mickey Mouse) being the worst .
      Intellihence