Jeff Jones (err Microsoft): Vista more secure than everything

Jeff Jones (err Microsoft): Vista more secure than everything

Summary: Microsoft's Jeff Jones is at it again with a report claiming that Vista is more secure than its predecessor--XP--and every other modern operating system out there.I know what you're going to say--Jones is a blowhard.


Microsoft's Jeff Jones is at it again with a report claiming that Vista is more secure than its predecessor--XP--and every other modern operating system out there.

I know what you're going to say--Jones is a blowhard. He says what Microsoft wants to say but doesn't so the company appears above the fray. Any number can be twisted. He's not exactly objective. In fact, I'm inclined to agree with you. But here's the report anyway. Why give Jones a podium since he's obviously pro-Microsoft? You can still learn from people that have an obvious stake in their analysis. To me it's no different than an analyst disclosing a position in a stock. As long as it's disclosed I'll give it a shot.

In a blog post, Jones, security strategy director in Microsoft's Trustworthy Computing group, provides the PDF report. It uses a one-year take since from Nov. 2006 to Nov. 2007 since that's when Vista shipped to business customers (whether these folks actually installed Vista is another argument entirely).

Some key takeaways:

Jones (previous reports) says Vista is more secure than XP and Microsoft has its patching act together. Jones writes: "The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP."

I'm inclined to agree with that--even though I'm still on XP. Whether Vista is more secure will be determined over time. But Microsoft has improved its security update process since XP's heyday.

The methodology and the metric dance. It sure would be swell if there were one uber metric to measure security. There isn't and Jones cops to that. He notes in his report:

If it was possible to measure "security" in one metric, it would have to encompass a complex combination of factors including (but not limited to) the software quality, administrative controls, physical controls, and much more - and even then, it would all be in the context of whatever security policy was defined for the systems in question. So, this is not an analysis of "the security". I don't look at protective mechanisms and see how they might protect in certain scenarios. Nor do I look at security features and see how they might enable better privacy or help secure business process. And I certainly don't look at how easy it is to manage the security policy for these products. Is there anything in this analysis which will prove one piece of software is "more secure" than another? No, that is not my intention.

Nevertheless, Jones gives you metrics measuring security. He uses a vulnerability analysis, tosses in some caveats and moves along with CVE counts. Jones' report oddly looks a lot like George Ou's report last month when he tried to compare IE and Firefox. And since most of you gave poor George hell I assume you'll disapprove of Jones' counts too.

Jones lets the charts do the talking on Windows vs. XP.

Windows XP vs. Vista.


And the event roundup comparing XP and Vista. Some of the patch events are due to a more regularly monthly update schedule.


After that warmup comes the OS comparisons. Jones compares Red Hat Enterprise Linux, Ubuntu and the Mac OS X 10.4. I'll provide the chart to keep it simple, but you should read through the actual analysis in the PDF. It's an interesting take even though you may beg to differ.




Topics: Operating Systems, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • More preaching to the converted

    MSFT has been trying to live down the insecure label for a long time. The periodic reappearance of articles like this is no real surprise. Just like the annual Suits Are Back articles fronted by the Men's Warehouse PR company. It's no real surprise they keep finding a way to trumpet the effort through press hits.

    I truly believe Vista security is better than XP. I also believe security threats are getting more sophisticated faster than MSFT is improving their security model. When Vista-- if Vista ever takes over as the dominant MS platform, you'll see more exploits for it.

    Comparisons of patched vulnerabilities is not a valid comparison. OSX and Linux have a different security paradigm that's baked into the kernel, not bolted on as an afterthought.

    A comparison I'd like to see are the numbers of actual compromised boxes in relation to their market share. That would be an enlightening comparison. I have never seen an actual compromised Apple. I'm sure they're out there, I've just never run across one. I haven't yet had any of my Linux boxes compromised. I know that's happened, just never seen one in person. But the number of Windows boxes I've cleaned and reinstalled...countless.
    • Why more microsoft computers get infected

      XP Security->Bolted on as an afterthought
      Vista Security->Baked into the Kernal

      Windows boxes get comprimised for a number of reasons. It is more cost effective to write malware for Windows computers as most people use them. The average LINUX/UNIX user is much more tech savvy than the average Windows user, and will probably pick up pretty quick on having a virus, plus they probably have stuff like firewalls enabled. The average Windows user often doesn't understand computer security, and will disable security settings to allow certain programs to run. Most programmers don't understand much about Macs, and as such don't really bother with Mac due to their low market share.
      • What metric should be used?

        To gauge security. It's clear counting vulnerabilities and patching isn't optimal. For those of you out there cleaning machines and in the field what's the metric or set of metrics we should use?

        I realize it's not an easy question, but I'd love to hear some ideas.
        Larry Dignan
        • For a start.

          How about compromised sytems per vulnerability. Yes I know the flaw there is that Windows would be a sure loser by reason of it's larger install base. So, maybe state it as a percentage of the installed base?

          What really makes this difficult is that a Windows user is a fool if they don't have some kind of virus protection enabled. That make any metric a measurement of not only Windows itself but the malware protection companies as well. Do I blame MS when Norton or McAfee fails? Maybe. Because a really secure OS shouldn't need them.
          • Can you say lawsuit?

            And what do you think would happen were MS to write an OS that made all the malware/virus writer's software obsolte? They'd be slapped with a lawsuit faster than you could blink. MS is in a very bad situation in that aspect and I really think people should consider that before making statements that "A really secure OS shouldn't need them".

            On a fully patched Vista machine how do you get infected? Social engineering. By tricking a stupid end-user into installing something they shouldn't. As simple as that. Far fewer Linux users would fall victim to that and Macs aren't cost effective to go after. At any rate, I recommend most people get an Internet Security Appliance and let it make the decisions. If your firewall blocks the virus than it doesn't matter what you agree to, same fore spyware. You can get a good one for 10 users under $400 now too.
        • Metrics

          I think that a metric describing an entire operating system is of little use. Most operating systems can be configured in countless ways, with vast differences in their level of security.

          I think a more useful metric would be one that describes the security of an individual implementation. Perhaps one that scans the network or pc in question and compares the number of vulnerabilities found in the implementation to the total number of vulnerabilities discovered for the operating system.
        • there should be no metric used

          A metric on what is most secure gives you a false sense of security so ignore them. They purely marketing tools and that's it.

          Security is about layers. So you could have a completely unsecured OS but if you have layered you security that will not be problem. The OS is just one small part of the big picture in terms of security.
          • its no different than a car company crash testing their vehicles

            there has to be some credibility given to MS. after all.. most of their employees could out-code most posters here no problem after all.
          • Being able to out-code ....

            ... means nothing. Any idiot can out-code an expert on lines of code that do nothing or contain a high % of error.

            The productivity of a person is not measured with the number of lines of code, but with the quality of the code they write. One person can write 5,000 lines of code a day and be unproductive, while another can write 100 lines of purely optimized code that provide the same function.

            They may out-code many here, but that does not mean that they can produce better quality code that the majority here. In fact, based on historical quality of their work, I would even say that I doubt they can.
          • Not at all

            A crash test is a standard test which can measure a lot of vulnerabilities. In software worl there is no single test that can measure security such as a crash test.
            pablo Dante
        • No effective way to use metrics

          There is absolutely no metrics of any kind that would give us an idea, and even if there were, there wouldn't be an effective way to use them. Just because something is secure doesn't mean it won't get attacked, and just because something's vulnerable doesn't mean it will. Not only that, but just because something has no vulnerabilities doesn't mean it's secure. Yes, if a vulnerability is found, it should be fixed, but often the vulnerabilities aren't found just by common use. People need to go out of their way to find the vulnerability, and the absence of evidence is not evidence of absence. You could've found thousands of vulnerabilities and patched them, but does that mean it's less secure than one that's been rarely patched? Nope. It just means less has been found so far. It just ends up being a game of catch-up either way, where the designers learn of a flaw or vulnerability someone found and then they try to fix it (in theory anyway...doesn't mean they will). The vulnerabilities still need fixed no matter how many or few there are.
        • I would like to see required user interaction...

          vs. non required user interaction.

          If I can prevent issues through knowing what not to do, I am less worried about the vulnerability. Vulnerabilities that can't be educated against scare me more.
        • Metrics

          All metrics will be flawed since measurement of security is subjective. You can never assess quantitatively the value of UAC in Vista or Apparmor or SELinux or Pax in Linux,.Similarly, you can not quantify the value of apt-get in Debian based distros or similar applications in other distros, you will only know that these make it very easy to patch and reduce the user-days-of-risk (which is the most important factor in most situations). Furthermore, user-days-of-risk varies from user to user. What actually should be measured is whether,given the mitigating factors available, you will have a fully functional box which is secure. And over here, you can acvtually assess the past record of the vendors. Giving a precise number to security is just like snake-oil.Functionality is of prime importance: I will do these and these things- Can I do it in both platforms or just one?, if I can do it in both, where can I be more secure?, If I can be secure in both, where is it easier to be more secure? And more cost-effective? These are the real world questions to answer, not some numbers comparing stones to fruits.
        • Well look at the actual # of exploits...

          and not the # of vulnerabilities found, this will show which is less secure.

          Now that being said everyone will say Windows is the biggest target and will be the one malware/virus writers attack, and this is a true statement, however that also makes it the least secure because it will have more malware/virus's written for it.
      • Show me a virus-infected Linux box run as user

        [i]The average LINUX/UNIX user is much more tech savvy than the average Windows user, and will probably pick up pretty quick on having a virus[/i]

        It's instantly obvious that you've never even used Linux. It's basically impossible for a modern Linux distro using the latest kernel to get ANY virus or malware infection while being run as user. Show me all the thousands of infected Linux boxes - where are they? You can't even show me one. In a lab, it's possible to infect some silly person running as root. But user-level in the wild? No way. It's not just security through obscurity - but actually a truly ROBUST OS.
        Don Collins
        • Not sure if this answers your question but ...

          For example several software made in PHP (e.g. XOOPS) have/had vulnerabilities that allow attackers to get into a web account and use it for spamming.

          OK, the Linux kernel was not infected, it's a flaw of the software in PHP, but the use of PHP in Windows for web servers is minuscule compared to that in GNU/Linux, so it's a GNU/Linux-related problem. At any rate, your exact question was:

          "Show me all the thousands of infected Linux boxes - where are they?"

          I do not know if there are thousands with those problems, but surely there are a lot, AND those Linux boxes were used for these illegal activities.
          • Ironically enough....

            .... there is an outbreak of Linux servers being "rooted" at the minute - maybe up 10,000 of them, but several hundred at a minimum. No one is clear how these compromises have occurred, but current suspicions fall on infected Windows PCs being used by server masters to update and control the servers. That would be ironic!

            So, there is an outbreak of hijacked Linux right now, and also, remember where the term "root kit" comes from - it does originate from the Windows ecosystem - rootkits came from Unix!

            More (slightly out of date) info here

          • Comprimized passwords...

            may be part of the problem according to the link you posted.

            It is impossible to secure poor user practices like easy passwords or writing your passwords down and leaving the paper on your desk.
          • No one really knows...

            ... at one point it appeared to be cPanel, then Apache was involved possibly through a compromised module. Unlike the low quality, second rate Windows hacks, this one appears to have been done properly.

            Ahhh.... Linux..... even the malware is [i]quality[/i] malware.....
          • is still do it sometimes

            but on page 50 of a book with a few characters before and after, on the back of a business card in my wallet, a note in my cellphone, and if, but rarely piece of paper on my desk (for a few days while i memorize it).

            but if the password is PaSSw0rDD123!... ill note it

            passwordd123 or something.. just enough so i can remember the real one.