Microsoft gave itself a collective pat on the back on Wednesday, releasing a report that showed that Windows Vista had far fewer flaws patched in the first year than the company's previous operating system, Windows XP.
The survey of vulnerabilities, dubbed the Windows Vista: One Year Vulnerability Report, found that Microsoft's latest operating system required 9 patches for 36 vulnerabilities in its first 12 month of business-user (corrected) availability. Microsoft's prior operating system, Windows XP, required 30 patches to fix 65 vulnerabilities in its first year.
The report also compared Vista's rate of patching and total vulnerability count to those of Red Hat Linux, Ubuntu Linux and Apple's Mac OS X, finding that the other operating systems had 360, 224, and 116 vulnerabilities patched in their respective software components in their first year of release. A reduced number of installed components were used for both Red Hat Linux and Ubuntu Linux, according to the report.
The report's author, Microsoft Security Strategy Director Jeffrey R. Jones, stressed that the analysis is not an argument that Vista is more secure.
"This is not an analysis of 'the security'," Jones wrote in the report. "This report is a vulnerability analysis, which may provide some elements that could be part of a broader security analysis."
Microsoft's Windows Vista is the company's first consumer-focused operating system developed under the doctrines of its Trustworthy Computing Initiative. Released to business users in November 2006 and consumers in January 2007, Vista has incorporated software security features such as kernel patch protection, data-execution protection and address space layout randomization to make the operating system much harder to breach. Microsoft has also created its Secure Development Lifecycle process to detect and weed out common patterns of vulnerabilities.
Other groups in Microsoft pointed to the study as proof that the hundreds of millions of dollars that Microsoft has put into software security has paid off.
"Our job with security is never finished," Austin Wilson, a director in Microsoft's Windows client group, said in a blog post. "But, the focus we put on engineering for security, the backing of the world-class security response process delivered by the Microsoft Security Response Center, and the defense in depth approach of Windows Vista are showing real-world benefits for customers and thats something I take pride in."
CORRECTION: The original article gave the incorrect one-year period that Microsoft used to count flaws. The software giant started the clock when Vista became available to businesses in November 2006.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos