One year later, Vista really is more secure

Windows Vista was released to manufacturing a year ago next week, and landed on retail shelves exactly nine months ago today. At the time, Vista head honcho Jim Allchin predicted that the number of security patches required for this version of Windows would go way down compared to its predecessor. So, was he right?

Windows Vista was released to manufacturing a year ago next week, and landed on retail shelves exactly nine months ago today. To mark the occasion, I dragged a system out of mothballs and installed the original RTM version of Vista Ultimate on it. (Well, OK, I also needed a test bed for some upcoming work, but still...)

Anyway, I was surprised to see that the automatic update process picked up only 35 updates totaling 93.9 MB in size. That's an average of fewer than four updates per month. And the number drops to fewer than three per month if you start counting with the original release to manufacturing date, which will mark its one year anniversary next week.

Jim Allchin, who led the Vista development and launch, is probably feeling at least somewhat vindicated today. After all, he predicted in an interview with PC World that patch counts would go way down with Vista:

"In my opinion, it's the most secure system that's available and the most secure system we have shipped," he said. This means the number and severity of security updates Microsoft must release every month on Patch Tuesday, the name security researchers have given for when Microsoft releases its monthly security patches, should be reduced, Allchin said.

"That can be proven," he said of his patch prediction. "We will see about that."

The lineup of patches for October 2007 offers some instructive examples. MS07-55 was a Critical update for Windows XP SP2 but didn't apply at all to Vista. MS07-56 was rated Critical for XP SP2 but was only Important for Vista. (For an explanation of the differences, see this page.)

And those 35 patches weren't all security related, either. Some were reliability and compatibility fixes. There are updates to the Windows Mail Junk Mail filters, and in the case of this system at least one driver update. So how does Vista measure up to its predecessor if you filter out all but security updates? Out of curiosity, I went to the Microsoft Security Bulletin Search page and looked for Critical and Important bulletins issued in the past year. Here are the results:

  • Windows XP with SP2: 41
  • Windows Vista: 14

That's almost as thorough a drubbing as the Patriots gave the Redskins last weekend. Microsoft has taken a lot of flak for Vista, but these results, in my opinion, validate the Security Development Lifecycle process, which was and is at the core of Vista's design and evolution.