Microsoft Says Vista Has the Fewest Flaws

ancientribe writes "Microsoft issued a year-one security report on its Windows Vista operating system today, and it turns out Vista logged less than half the vulnerabilities than Windows XP did in its first year. According to the new Microsoft report, Vista also had fewer vulnerabilities in its first year than other OSes — including Red Hat rhel4ws, Ubuntu 6.06 LTS, and Apple Mac OS X 10.4 — did in their first years."

How are they logged?

[Nefarious Wheel (628136)]

Is this via support calls or just little modal dialog boxes that people are tired of clicking "send" on? Or are they filtering out things they've already encountered in XP? Statistics are a great aid to the common lie.

Number of vulnerabilities -- who cares?

[Niten (201835)]

For the last time, you just can't add up the number of vulnerabilities in separate products from different authors and expect to glean any meaningful information from numerology thereon. This is especially true when contrasting one closed-source product from a vendor with questionable security reporting practices (say, Windows), and an open-source product where every single flaw of any level of significance is public knowledge (say, Ubuntu Linux).

I'm tired of seeing such claims about vulnerability tallies parroted in Slashdot summaries without the least bit of skepticism regarding their relevance. This sort of thing has already been debunked a million times over on this site. Come on, editors, a little quality control would be nice...

Re:Number of vulnerabilities -- who cares?

[gardyloo (512791)]

For the last time, you just can't [...]

        You must be new here.

Well, sure there're few flaws seen -

[rubicon7 (51782)]

- because it seems nobody's actually using it.

In related news, BeOS showed few vulnerabilities this year...

Re:Well, sure there're few flaws seen -

[Jaktar (975138)]

While OS/2 Warp pulled in a close second...

Exploiters focusing on Mature & Established OS

[Zymergy (803632)]

Could the reason there are fewer exploits in the first year of Vista (Verses XP) be due to the fact that it has a reluctant adoption rate bu users and the OS exploiters are likely focusing their efforts on current Operating Systems that are more stable, known, and in higher use.
Give it time...
Besides, now that Microsoft has set 2009 for the new "Windows 7" release target date, it seems that Vista may be the new short-lived 'Windows Me'.

Passed every test

[edwardpickman (965122)]

Click to launch Word.

"Denied'

Copy file

"Denied"

Launch Firefox

"Denied"

Verdict OS completely secure.

Absolute flaws reported doesn't work

[arotenbe (1203922)]

I think that is a silly measure of bugginess. Not only does the number of flaws reported being less reflect lower usage of Vista, it also likely says the the reporting system is difficult to work with. If anything, I think the fact that the non-Windows systems have a higher number of flaws reported indicates that they have easier-to-use bug reporting systems. The correct way to measure statistics on things like this is either to have a third party subject them to a standardized battery of tests (indicating actual security levels) or to measure the ratio of bugs fixed to total bugs reported (indicating the development team's ability to correct reported flaws quickly).

Report says Ubuntu is better!

[LingNoi (1066278)]

From the PDF [technet.com]

Page 12 - Windows Vista Fixed 36 vulnerabilities
Page 14 - Ubuntu fixed 406 vulnerabilities affecting Ubuntu 6.06 LTS.

Look how many vista have left to find!!

Statistics

[wannabgeek (323414)]

Reminds me of a quote - "Statistics are like humans. Torture them enough and you can make them admit anything you want".

Wow, Worse Than I Thought

[ryanisflyboy (202507)]

You know it's bad when not even the script kiddies wanna get their paws on it.

Only 1 Flaw

[Barumpus (145412)]

And that 1 flaw was actually putting Vista on the market.

mod parent up

[mattwarden (699984)]

Parent has it exactly right. This is likely another statistical half-truth. Tell us % of users reporting flaws and let's compare that to XP's first year.

Re:Fewest Users = Fewest Flaws

[by Anonymous Coward]

Time for a game of /. Confession...

I've been using Vista x64 for about two months now on a Dell m1330 with 4GB of RAM. There's more NON-security bugs than I could shake a stick at. Bluetooth has multiple "Hi, I've stopped working and you're screwed till a reboot" bugs, and they seem largely related to a bigger bug Vista has in failing to handle shutting drivers down when suspending in such a way that they wake up when you wake up the laptop. So it occasionally affects LAN, Wifi, etc...

The interface has more glitches than I can count, Aero is TREMENDOUSLY slow compared to the usual 2D accelerated display (a disappointment since compiz is FASTER than 2D acceleration), and these are just the issues I can remember. I know I've hit more, but I can't recall them right now. I've not gone looking for security bugs, but I'd bed the only "security" part that's near bug free is the one that handles the DRM and anti-piracy functions. I've no doubt from the rest of the experience that the part that secures me and my data is full of holes.

I'm actually kinda worried what will pop up once they start getting more users on it after SP1 comes out. Good thing I never use IE, refuse to use Outlook, and never directly connect to the internet with Windows. ;-)

Re:Fewest Users = Fewest Flaws

[techno-vampire (666512)]

It's not just Bluetooth that dies. I have a friend with a large LAN at home. One (and only one) of the machines has Windows iCandy on it. It occasionally decides that one of the other machines has dropped off the LAN even though all other machines can see it and connect to it. When that happens, the only recourse is a reboot. Not only that, it will sometimes "decide" that it can't connect to another machine until a reboot even though it admits it's there. Weird, really, but there it is.

Re:Fewest Admitters = Fewest Flaws

[dch24 (904899)]

Excellent point. Although other debates [oreilly.com] have questioned Microsoft's numbers, if there are really 20 million [microsoft.com] installs (plus further installs since then) in use out there, hackers might begin to take a look.

But to paraphrase the Drake equation [wikipedia.org], of the total Vista installs, how many have been hit by crackers? How many of those were honeypots, caught by virus scanners, or otherwise detected? How many exploits found by crackers have been used in highly targeted attacks and kept secret?

All I can think of is the remote TCP/IP exploit [microsoft.com]. As some of you may recall, that exploit existed in all versions of Windows. And Vista supposedly has a "completely rewritten TCP/IP stack" (source [microsoft.com]).

"I have a bad feeling about this."

Re:Fewest Admitters = Fewest Flaws

[techno-vampire (666512)]

And how many installs are on new machines, where the buyer had no choice? How many of those forced installs have been wiped out by now and replaced by XP, 2K or Linux?

Re:Fewest Admitters = Fewest Flaws

[seifried (12921)]

Might be a rewrite but chances are you either had the same people rewriting it, or at the very least the same mindset/corporate culture/etc. rewriting it, so it probably didn't end up all that different (based on results this looks pretty likely).

Re:Fewest Admitters = Fewest Flaws

[cp.tar (871488)]

How many of those were kernel patches, and how many were related to other applications?

Re:Fewest Users = Fewest Flaws

[1u3hr (530656)]

Slashdotters have maintained for years ....

Some people have posted this on Slashdot. To maintain that there is a single "Slashdotter" point of view is just a straw man. For ANY point of view you can find hundreds of posts by "Slashdotters" supporting OR contradicting it.

MY PERSONAL point of view is that the statistics presented are suspicious. Previous MS press releases (aka "independent reports") have counted the same error multiple time, have counted bugs in applications bundled with Linux against OS bugs in Windows, etc.

Re:Methodology has issues

[FurryWhale (1193405)]

Most Linux distros have a lot more software and contain more lines of code than Windows. Therefore, you'd expect more flaws in something like Ubuntu or RHEL.

The report is available here [technet.com], and states that the comparison specifically excludes components from Red Hat such as server components, gimp, OpenOffice, etc:

Red Hat and other Linux distribution vendors add value to their workstation distributions by including and supporting many applications that don't have a comparable component on a Microsoft Windows operating system. It is a common objection to any Windows and Linux comparison that counting the "optional" applications against the Linux distribution is unfair, so I've completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS. In short, I install a rhel4ws computer and: I excluded any component that is not installed by default, which includes all optional "server" components that ship with rhel4ws. I additionally excluded text-internet, graphics (the gimp stuff) and office (OpenOffice) and Development Tools (gcc, etc) installation groups. I used the rpm command to list out all packages that get installed and used that package list to filter vulnerabilities for inclusion. This process results in a Gnome-windows workstation that includes standard system management tools, Firefox for browsing, sound and video support, but excludes all server packages, as well as OpenOffice and other optional stuff that a Windows system wouldn't have by default.

It'd be nice if it listed the exact components installed on Red Hat, but at least it attempts to cull the component set to something more reasonable for comparison.

Re:Methodology has issues

[djcapelis (587616)]

I think the GP wasn't talking about the kernels. Linux distros simply distribute much much more software than comes with your average proprietary OS.

Most will issue a security advisory when there's a bug in apache, mysql, postgres, sqlite or all of these types of things. Microsoft doesn't issue an advisory about a bug in Oracle. On Linux, the distros take responsibility for a much much wider range of software than Microsoft does on their platforms.

Re:Bad metric

[TheNetAvenger (624455)]

and no one is using Vista, it's natural that it'd have the fewest reported flaws. :)

That sounds great until you realize that even by the most conservative estimates, more people are ALREADY using Vista than are using all versions of OS X and System 9 combined. Even if you throw in all the *nixes combined, there are still more Vista users.

Vista also automatically drops reports of problems directly to Microsoft, and isn't dependant on users to supply bug reports or problems like OS X, so when problems occur, MS usually knows before the users or the makers of the software that is causing problmes.

So ya, nobody is using Vista, in comparison to XP that is. However compared to the SlashDot and Mac industry, Vista is a massive OS deployment, lets hope OS X can catch up to Vista someday... (Geesh)

Oh, and I love the argument, that Vista was preinstalled and 'forced' on users. Strangly, the people that purchased these systems and rolled back to XP are 90% documented, and aren't counted as Vista installs.

And this is not any different than the people that purchased new Macs and had to have 10.4 installed because of the application compatibility problems with Leopard. (Which ironically has more compatibilty and application problems than Vista, and yet only supports 1/1000th the software or hardware.) (Geesh Again)

Re:Bad metric

[nguy (1207026)]

Vista also automatically drops reports of problems directly to Microsoft, and isn't dependant on users to supply bug reports or problems like OS X, so when problems occur, MS usually knows before the users or the makers of the software that is causing problmes.

Security problems are not bugs that an automatic bug reporter reports. Neither, for that matter, can automatic bug reporters report usability problems. You're also making the false assumption that Microsoft honestly reports all the bugs they discover. For most of the reports, they probably don't even bother tracking it down. For the ones that they do track down, we already know that if they can fix it quietly and lie about it, they do.

For me, Vista is about as good as XP in terms of applications crashing and BSOD. But Vista usability and security are a nightmare, and no bug statistics are going to tell you that. Vista is a software disaster.

Kudos to Microsoft

[totally bogus dude (1040246)]

I wasn't exactly expecting a flood of praise for Microsoft on slashdot, but you're completely spot on. Not one of the posts seems to be non-critical. We (as in, "people who know anything about computers") have been begging Microsoft to design their products with security in mind for a long long time now - rather than their usual practice of making grandiose statements about how security is job #1 and turning out the same old schlock as always.

With Vista, they actually seem to have done this. Even though they've added a lot of crap nobody wanted along with the crap that some people wanted, they've managed to do it without introducing loads of security problems. Remember, this is a mainstream product from a commercial software company where everything is subject to a cost/benefit analysis.

So it seems that the cost/benefit analysis has actually come down in favour of writing safer code even though it probably takes longer. This is great news for everybody who has to, in one way or another, deal with the problems caused by exploited PCs.