Daily Archives: June 22, 2007

The Microsoft 6 month vulnerability report

In yet another play on numbers (not to mention another attempt to persuade consumers that Vista is the greatest thing since sliced bread), yesterday Microsoft released a report titled “Microsft Vista Has Fewest Vulnerabilities at 6-Month Mark”, (PDF) implying that Vista has turned out to be an exceptionally secure operating system (OS)…much more secure than various versions of Linux, Mac OS X and Windows XP.

The report was written by Jeff Jones, the Security Strategy Director of the Microsoft Trustworthy Computing group (no, it’s not an oxymoron). He writes that for Vista’s first 6 months (remember, it was released to businesses on November 30, 2006), 12 out of 27 disclosed vulnerabilities were patched. For Windows XP, 36 out of 39 disclosed vulnerabilities were patched in the same time frame. I don’t mention the the Linux or OS X vulnerabilities because they’re not important, nor should they be compared to Windows. Those are entirely seperate entities.

“In all four cases studied for the 6 month period after ship, Windows Vista appears to have a lower vulnerability fix and disclosure rate than other products analyzed, including the reduced Linux installations. This affirms the early results we found after 90 days and provides a supporting indicator that Microsoft Security Development Lifecycle process and heightened focus on security is having a positive impact on Microsoft Windows in terms of fewer vulnerabilities” writes Jones.

Several analysts and news writers / bloggers aren’t buying it. For that matter, I’m not either. Several online media outlets are reporting that Microsoft is better at patching XP than Vista (if you look at the numbers on his report, it’s easy to see it that way but apparently he didn’t notice that). It also neglects to mention that one of the primary reasons there are “fewer vulnerabilities” is that there are far fewer people using it. In all actuality, the report is, for the most part, meaningless. If and when more people start using Vista, there will be more hackers looking at it too. In all probability it will be hit with some major vulnerabilities.

Continue reading