Security Watch | Matt Hines » Microsoft security report card: passing grade for Vista

March 23, 2007 | Comments: (0)

Microsoft security report card: passing grade for Vista

TAGS: Security

Microsoft researchers have published a new report which maintains that the company's Windows Vista software has proven more secure than other operating systems over the first 90 days of its availability, including open source products and Apple's Mac OS X.

Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group, authored the report -- which is posted on his blog -- that compares Vista's relatively short security track record to the early performance of other desktop and thin-client platforms including Mac OS X 10.4, Novell's SUSE Linux enterprise Desktop 10, Red Hat Enterprise Linux 4 WS and Ubuntu 6.06 LTS.

The report also compares the number of vulnerabilities reported in Vista to security patches issued for Microsoft's own Windows XP software.

According to the missive, Microsoft only observed five individual security issues in Vista over the first 90 day of its life, and only one that has been addressed by the company in a security bulletin -- ironically related to a glitch in the software's new anti-malware engine.

The four additional problems have been isolated by security researchers, but not yet patched. Only one of those, related to an error in Vista's CSRSS/MessageBox feature, has been rated high-risk by the software giant.

In 2001, when Microsoft first shipped XP, there were three holes in its IE browser that the firm had already patched. The company fixed a total of 14 vulnerabilities over the first 90 days of its availability, and was aware of at least 4 additional issues that it had not yet addressed.

By comparison, when released in May 2005, Mac OS X 10.4 aka Tiger, had 10 vulnerabilities, with only four covered by patches from Apple during the initial 90 days of its life span, according to Jones' estimates. In all, he said that Apple fixed 20 vulnerabilities over the timeframe, with knowledge of an additional 17 that remained un-patched.

"Apple advertising conveys the message that Mac OS X does not have the same security issues that face other operating systems, but upon examining the first 90 days of their most recent release Tiger -- the data just doesn't support their marketing," Jones writes.

As for the open source crowd, the researcher highlighted Red Hat Enterprise Linux 4 WS, among others, which had 86 vulnerabilities disclosed prior to its general availability, with patches for 34 of those at the time of shipment. Over the first 90 days, Red Hat addressed 137 vulnerabilities in the platform and it still had another 64 publicly disclosed issues that it had yet to fix, Jones said.

Industry pundits are sure to find fault with some aspect of Jones' methodology and take the position that Microsoft tilted the tables in its favor to come up with attractive results, but the fact of the matter remains there have not been many vulnerabilities discovered in Vista.

Yet.

Posted by Matt Hines on March 23, 2007 08:22 AM

RATE THIS ARTICLE: