Windows Vista gets high marks for security, from Microsoft at least.

"I think that it's fair to say that Windows Vista is proving to be the most secure version of the Windows to date," said Austin Wilson, director in Microsoft's Windows client group, in a blog post on Wednesday. "Our investments in the SDL [Security Development Lifecycle] and our defense in depth approach to building Windows Vista seem to be paying off."

Windows Vista also exhibited fewer vulnerabilities than other operating systems over a one year period, according to a report published by Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group. The report claims that there were 36 vulnerabilities fixed in Windows Vista during its first year, compared to 65 in Windows XP, 360 in Red Hat RHEL4 reduced, 224 in Ubuntu 6.06 LTS reduced, and 116 in Mac OS X 10.4, also known as Tiger.

"My analysis found that researchers found and disclosed significantly fewer vulnerabilities in Windows Vista than either it predecessor product, Windows XP, or other operating systems such as Red Hat Enterprise Linux, Ubuntu, and Apple Mac OS X 10.4," said Jones in his report.

Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, considers such metrics to be apples-to-oranges comparisons. "When you start counting vulnerabilities, it's a matter of defining vulnerabilities," he said. "For example, if a bulletin is released for Internet Explorer, that's one patch for IE. Microsoft may have broken it out to say there are five distinct issues fixed in this patch. Is that five vulnerabilities or is that one vulnerability because it's one patch?"

Setting aside questionable comparisons to other operating systems, Vista's superiority to its Windows ancestors may not seem particularly surprising or noteworthy. But Wilson makes the case that Vista's security features like User Account Control and Internet Explorer Protected Mode reduce the risk and severity of security vulnerabilities and give companies more time to deploy patches.

Wilson points out that Windows Vista makes it easier to run standard user accounts rather than administrative accounts, which are more dangerous when compromised. This, he says, diminishes the impact of vulnerabilities.

"Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069," explained Wilson. "This is a great illustration of the importance of User Account Control and why we included it in the product. It's also the reason I personally run as a standard user on every machine I use."

Wilson also singles out Internet Explorer Protected Mode as a reason that Vista is more secure than XP. Protected Mode in Vista prevents Internet Explorer 7 from altering user or system files, and various settings, without consent from the user. This diminishes the effectiveness of malicious Web sites, if the user is paying attention.

As evidence of the impact of Protected Mode, Wilson cites the MS07-056 security bulletin from October 2007. It was rated "Important" on Windows Vista and "Critical" on Windows XP. He also notes that IE 7 and Vista are blocking almost 1 million phishing attempts every week.