A new report from Microsoft bases the claim on the 36 vulnerabilities fixed in Windows Vista during its first year, compared to the 65 found in Windows XP, but analysts remain skeptical.
Windows Vista gets high marks for security, from Microsoft at least.
"I think that it's fair to say that Windows Vista is proving to be the most secure version of the Windows to date," said Austin Wilson, director in Microsoft's Windows client group, in a blog post on Wednesday. "Our investments in the SDL [Security Development Lifecycle] and our defense in depth approach to building Windows Vista seem to be paying off."
Windows Vista also exhibited fewer vulnerabilities than other operating systems over a one year period, according to a report published by Jeff Jones, security strategy director in Microsoft's Trustworthy Computing group. The report claims that there were 36 vulnerabilities fixed in Windows Vista during its first year, compared to 65 in Windows XP, 360 in Red Hat RHEL4 reduced, 224 in Ubuntu 6.06 LTS reduced, and 116 in Mac OS X 10.4, also known as Tiger.
"My analysis found that researchers found and disclosed significantly fewer vulnerabilities in Windows Vista than either it predecessor product, Windows XP, or other operating systems such as Red Hat Enterprise Linux, Ubuntu, and Apple Mac OS X 10.4," said Jones in his report.
Eric Schultze, chief technology officer of St. Paul, Minn.-based Shavlik Technologies, considers such metrics to be apples-to-oranges comparisons. "When you start counting vulnerabilities, it's a matter of defining vulnerabilities," he said. "For example, if a bulletin is released for Internet Explorer, that's one patch for IE. Microsoft may have broken it out to say there are five distinct issues fixed in this patch. Is that five vulnerabilities or is that one vulnerability because it's one patch?"
Setting aside questionable comparisons to other operating systems, Vista's superiority to its Windows ancestors may not seem particularly surprising or noteworthy. But Wilson makes the case that Vista's security features like User Account Control and Internet Explorer Protected Mode reduce the risk and severity of security vulnerabilities and give companies more time to deploy patches.
Wilson points out that Windows Vista makes it easier to run standard user accounts rather than administrative accounts, which are more dangerous when compromised. This, he says, diminishes the impact of vulnerabilities.
"Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069," explained Wilson. "This is a great illustration of the importance of User Account Control and why we included it in the product. It's also the reason I personally run as a standard user on every machine I use."
Wilson also singles out Internet Explorer Protected Mode as a reason that Vista is more secure than XP. Protected Mode in Vista prevents Internet Explorer 7 from altering user or system files, and various settings, without consent from the user. This diminishes the effectiveness of malicious Web sites, if the user is paying attention.
As evidence of the impact of Protected Mode, Wilson cites the MS07-056 security bulletin from October 2007. It was rated "Important" on Windows Vista and "Critical" on Windows XP. He also notes that IE 7 and Vista are blocking almost 1 million phishing attempts every week.
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.