Microsoft Says Vista Has the Fewest Flaws 548
ancientribe writes "Microsoft issued a year-one security report on its Windows Vista operating system today, and it turns out Vista logged less than half the vulnerabilities than Windows XP did in its first year. According to the new Microsoft report, Vista also had fewer vulnerabilities in its first year than other OSes — including Red Hat rhel4ws, Ubuntu 6.06 LTS, and Apple Mac OS X 10.4 — did in their first years."
Methodology has issues (Score:4, Interesting)
Re:Fewest Admitters = Fewest Flaws (Score:5, Interesting)
But to paraphrase the Drake equation [wikipedia.org], of the total Vista installs, how many have been hit by crackers? How many of those were honeypots, caught by virus scanners, or otherwise detected? How many exploits found by crackers have been used in highly targeted attacks and kept secret?
All I can think of is the remote TCP/IP exploit [microsoft.com]. As some of you may recall, that exploit existed in all versions of Windows. And Vista supposedly has a "completely rewritten TCP/IP stack" (source [microsoft.com]).
"I have a bad feeling about this."
Re:Fewest Users = Fewest Flaws (Score:5, Interesting)
I've been using Vista x64 for about two months now on a Dell m1330 with 4GB of RAM. There's more NON-security bugs than I could shake a stick at. Bluetooth has multiple "Hi, I've stopped working and you're screwed till a reboot" bugs, and they seem largely related to a bigger bug Vista has in failing to handle shutting drivers down when suspending in such a way that they wake up when you wake up the laptop. So it occasionally affects LAN, Wifi, etc...
The interface has more glitches than I can count, Aero is TREMENDOUSLY slow compared to the usual 2D accelerated display (a disappointment since compiz is FASTER than 2D acceleration), and these are just the issues I can remember. I know I've hit more, but I can't recall them right now. I've not gone looking for security bugs, but I'd bed the only "security" part that's near bug free is the one that handles the DRM and anti-piracy functions. I've no doubt from the rest of the experience that the part that secures me and my data is full of holes.
I'm actually kinda worried what will pop up once they start getting more users on it after SP1 comes out. Good thing I never use IE, refuse to use Outlook, and never directly connect to the internet with Windows.
Bravo! (Score:3, Interesting)
Windows 7 announcement in 3..2..1
Re:Fewest Admitters = Fewest Flaws (Score:2, Interesting)
Re:Fewest Users = Fewest Flaws (Score:5, Interesting)
Nobody uses Vista? (Score:4, Interesting)
I don't mind people being critical of anything, but please be honest in your critique. And whatever you do don't use Apple as an example of "the way things should be".
I'm sure this will be tagged flamebait or troll. That's kind of ironic when I'm replying to all these guy's tagged 'informative' who say "Nobody uses Vista" when they are obviously providing false information. If pointing out a blatant lie makes me a troll so be it.
Re:Bad metric (Score:5, Interesting)
That sounds great until you realize that even by the most conservative estimates, more people are ALREADY using Vista than are using all versions of OS X and System 9 combined. Even if you throw in all the *nixes combined, there are still more Vista users.
Vista also automatically drops reports of problems directly to Microsoft, and isn't dependant on users to supply bug reports or problems like OS X, so when problems occur, MS usually knows before the users or the makers of the software that is causing problmes.
So ya, nobody is using Vista, in comparison to XP that is. However compared to the SlashDot and Mac industry, Vista is a massive OS deployment, lets hope OS X can catch up to Vista someday... (Geesh)
Oh, and I love the argument, that Vista was preinstalled and 'forced' on users. Strangly, the people that purchased these systems and rolled back to XP are 90% documented, and aren't counted as Vista installs.
And this is not any different than the people that purchased new Macs and had to have 10.4 installed because of the application compatibility problems with Leopard. (Which ironically has more compatibilty and application problems than Vista, and yet only supports 1/1000th the software or hardware.) (Geesh Again)
Re:Fewest Admitters = Fewest Flaws (Score:4, Interesting)
If electricity comes from electrons, does morality come from morons?
Re:Methodology has issues (Score:2, Interesting)
Re:Report says Ubuntu is better! (Score:4, Interesting)
Kudos to Microsoft (Score:5, Interesting)
I wasn't exactly expecting a flood of praise for Microsoft on slashdot, but you're completely spot on. Not one of the posts seems to be non-critical. We (as in, "people who know anything about computers") have been begging Microsoft to design their products with security in mind for a long long time now - rather than their usual practice of making grandiose statements about how security is job #1 and turning out the same old schlock as always.
With Vista, they actually seem to have done this. Even though they've added a lot of crap nobody wanted along with the crap that some people wanted, they've managed to do it without introducing loads of security problems. Remember, this is a mainstream product from a commercial software company where everything is subject to a cost/benefit analysis.
So it seems that the cost/benefit analysis has actually come down in favour of writing safer code even though it probably takes longer. This is great news for everybody who has to, in one way or another, deal with the problems caused by exploited PCs.
Quick rebuttal to Appendix A (Score:5, Interesting)
Q: Linux distros contain many more optional applications than Windows - that is Apples and Oranges - how can any comparison be valid?
Actually, Windows Vista and Windows XP have different components too. Windows Vista Ultimate includes Media Center for example, which was not in Windows XP Professional. From a user perspective, I think it is Apples and Apples. Whichever OS is chosen, I believe most people will install the default set of components and use that. If vulnerabilities are in those components, they will be exposed and need to take mitigating action.
I did, however, try to even the playing field as much as possible by excluding optional Linux-distro components and excluding even some default components for which there is no obvious counterpart. In contrast, on the Windows analysis, I included any component that shipped with the product. I think the comparison is valid and useful.
From my basic CentOS 4 system:
$ rpm -q -a | wc -l
1104
Even on a (stupid) vulnerability count, even with a reduced package setup, the number of packages on a RHEL/CentOS system dwarfs the number of programs that come with Windows. You can't even compare against Jeff's Windows numbers because he looks into how critical each vulnerability is on Windows (good) but not on any Linux setup (bad). If the real concern is user exposure, then vulnerabilities in all packages makes sense, but only if you count vulnerabilities in common Windows packages to, like Acrobat Reader, Photoshop, Office, and even games like WoW.
My biggest beef is that Jeff fails to include his compiled vulnerability database. Even though he writes on his methodology and sources, there is no way to easily verify his claims. This is the 21st century and there's something called the Internet. There's no excuse to not provide the raw data, and I certainly don't have enough interest to make guesses and recreate the data for such a flawed analysis anyway.
Next time at least provide a list of analyzed RPMs and DEBs!
Re:bullshit (Score:4, Interesting)
My recommended method is no method at all: there is no simple, reliable way of determining user base for operating systems. Even the concept is meaningless.
For example, there probably have been more Linux-based routers (like the WRT54G) sold than Mac desktops and laptops; does that mean Linux has a bigger user base?
Re:Fewest Admitters = Fewest Flaws (Score:5, Interesting)
Go grep the executables. You'll find the standard BSD copyright notice inside.
Re:Fewest Users = Fewest Flaws (Score:2, Interesting)
I know plenty of people who run Vista at home, I use it at work (I am managing our Vista Trial) but at home I stay XP for the family machine and Fedora for my laptop.. Vista hates old hardware but runs well assuming you have a decent spec machine - but I agree with the bluetooth bug reported above - that drives me insane.. I wouldnt mind but I barely use it - and it still warns me its not installed properly every day..
In case your wondering - no we are not rolling out Vista to our enterprise any time soon..
Re:Fewest Admitters = Fewest Flaws (Score:5, Interesting)
Microsoft never had a proper overall design for windows, and it shows... Early versions were simply hacked together in completely haphazard ways, things were built quickly with no forethought. As a consequence, there is lots of kludgy legacy code kept around for backwards compatibility, including many duplications where an old method was considered fundamentally flawed and unfixable, and discouraged from being used by new apps, but is still kept round for backwards compatibility, one such example is the lanman password hashing.
If they completely ditch backwards compatibility, they could remove all this old cruft and start again with a proper clean design, but as usual they're taking a half-assed poorly thought out approach.
Ahhh, bias... (Score:4, Interesting)
Vista may be more secure than XP, thats a certainty, but Jeff Jones has proven himself time and again to be completely willing to sacrifice his credability - so how can you believe a man like that?
Re:Fewest Admitters = Fewest Flaws (Score:2, Interesting)
Re:Fewest Admitters = Fewest Flaws (Score:4, Interesting)
Or why not take the Mac approach: run win32 apps inside a "Classic" mode that's really an XP installation. MS already owns VirtualPC so they could embed a copy inside Vista without being dependent on a third party. Then they could have Vista as clean and slim and legacy-free as they wish without affecting old apps at all. State from the beginning that they'll support "Windows Classic" for, say, 5 years and then be done with it.
Similarly (and much more impressively), IBM has managed nearly perfect backward compatibility [wikipedia.org] alongside new systems for over 40 years. Why can't Microsoft?
Re:Fewest Admitters = Fewest Flaws (Score:2, Interesting)
Re:Fewest Users = Fewest Flaws (Score:1, Interesting)
"bit of code is not the same as all the code. Not all (nor most, nor even a lot) of bugs are found in that shared code, as it really only makes up a small percentage of the entire OS
The important parts of the OS are often shared, as they have been around for a long time, simply check recent security bulletins for Mac OSX, many of the bugs are staples across the entire unix spectrum. The shared code isn't the source code for pretty window displays, it's things like networking stacks - i.e the stuff that matters to security.
"but there is nothing stopping the online community from lying about bug counts to make more people switch to another OS."
Actually with open source, this is exactly what can't happen. Also OSS don't tend to use this figure for marketing purposes as it doesn't actually reveal anything more than "number of bugs found and patched". (Not number of bugs unfound and exploited for example.)
It seems like you've read a few posts, got an idea in your head and replied to this one out of context... it actually made perfect sense read in context to it's parent post.