Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Microsoft Security IT

Microsoft Says Vista Has the Fewest Flaws 548

ancientribe writes "Microsoft issued a year-one security report on its Windows Vista operating system today, and it turns out Vista logged less than half the vulnerabilities than Windows XP did in its first year. According to the new Microsoft report, Vista also had fewer vulnerabilities in its first year than other OSes — including Red Hat rhel4ws, Ubuntu 6.06 LTS, and Apple Mac OS X 10.4 — did in their first years."
This discussion has been archived. No new comments can be posted.

Microsoft Says Vista Has the Fewest Flaws

Comments Filter:
  • by tommyatomic ( 924744 ) on Thursday January 24, 2008 @01:48AM (#22163658)
    It has the fewest flaws found because it has the fewest amount of people looking for them.
    • by Harmonious Botch ( 921977 ) * on Thursday January 24, 2008 @01:53AM (#22163704) Homepage Journal
      It has the fewest flaws found because it has the fewest amount of people admitting to them
      • by dch24 ( 904899 ) on Thursday January 24, 2008 @02:05AM (#22163780) Journal
        Excellent point. Although other debates [oreilly.com] have questioned Microsoft's numbers, if there are really 20 million [microsoft.com] installs (plus further installs since then) in use out there, hackers might begin to take a look.

        But to paraphrase the Drake equation [wikipedia.org], of the total Vista installs, how many have been hit by crackers? How many of those were honeypots, caught by virus scanners, or otherwise detected? How many exploits found by crackers have been used in highly targeted attacks and kept secret?

        All I can think of is the remote TCP/IP exploit [microsoft.com]. As some of you may recall, that exploit existed in all versions of Windows. And Vista supposedly has a "completely rewritten TCP/IP stack" (source [microsoft.com]).

        "I have a bad feeling about this."
        • by techno-vampire ( 666512 ) on Thursday January 24, 2008 @02:15AM (#22163848) Homepage
          And how many installs are on new machines, where the buyer had no choice? How many of those forced installs have been wiped out by now and replaced by XP, 2K or Linux?
          • Re: (Score:2, Interesting)

            by timmarhy ( 659436 )
            how many people who run linux do you think are stupid enough to buy vista then uninstall it? why does everyone pretend the white box market doesn't exist?
            • by techno-vampire ( 666512 ) on Thursday January 24, 2008 @02:30AM (#22163938) Homepage
              I'm sure most people do. However, it's still hard to find new laptops without a pre-installed OS. Also, I know there are people buying computers with iCandy installed and replacing it with XP; I'm going to be doing exactly that for a friend later this week.
              • by dintech ( 998802 ) on Thursday January 24, 2008 @06:47AM (#22165016)
                And McDonalds claim they make nutritious healthy food...
              • Re: (Score:3, Informative)

                by tha_mink ( 518151 )

                I'm sure most people do. However, it's still hard to find new laptops without a pre-installed OS. Also, I know there are people buying computers with iCandy installed and replacing it with XP; I'm going to be doing exactly that for a friend later this week.

                Then you, my friend, are doing your friend a great disservice. I've been running Vista for about a year now, and once I turned off the "Cancel or Allow" annoyance, I've been very happy with the OS. I also run Ubuntu and compiz and I have to say, I've had no problems with either OS. I know Vista is supposed be be a total piece of shit, but I've loved it. To me, it's much more usable than XP. I've been surprised that it's gotten such a bad rap. To me, all that is just FUD.

                • Re: (Score:3, Insightful)

                  by rtb61 ( 674572 )
                  Now of course it wasn't all that far back into last year, where M$ took retaliatory action against a individual how outed them for failing to fix a security fault in Vista. In fact M$ make it a standard procedure to keep these faults secret and will attempt retaliate against anyone who announces a security fault.

                  So now they actually have the gall to say that (P)OS Vista has fewer declared faults or to quote the article 'complied the number of vulnerability disclosures and security updates", what a pack of

            • Re: (Score:3, Informative)

              by petermgreen ( 876956 )
              how many people who run linux do you think are stupid enough to buy vista then uninstall it? why does everyone pretend the white box market doesn't exist?
              Having used the cheap whitebox market in the past i'm very reluctant to do so again.

              Afaict cheap big brand boxes are cheap because of economies of scale, carefull planning and probablly some loss leadership and crapware bundling income.

              Cheap whiteboxes are cheap because they bought whatever shit was cheapest that week and stuffed it in a box with little to
        • by seifried ( 12921 ) on Thursday January 24, 2008 @02:59AM (#22164104) Homepage
          Might be a rewrite but chances are you either had the same people rewriting it, or at the very least the same mindset/corporate culture/etc. rewriting it, so it probably didn't end up all that different (based on results this looks pretty likely).
        • by moosesocks ( 264553 ) on Thursday January 24, 2008 @05:23AM (#22164718) Homepage
          Also note, that (somewhat hypocritically) all versions of Windows prior to Vista borrow quite a bit of their networking code from BSD.

          Go grep the executables. You'll find the standard BSD copyright notice inside.
      • by kb0hae ( 956598 ) on Thursday January 24, 2008 @03:26AM (#22164204)
        They are talking about security flaws. Other types of flaws? Lets start with the built in DRM, the exremely annoying UAC prompts, the HUGE amount of software that ran fine with XP that doesn't run with Vista, the HUGE amount of system rescources needed to get decent performance...Well, thats enough to start with...

        If electricity comes from electrons, does morality come from morons?
        • by Bert64 ( 520050 ) <bert AT slashdot DOT firenzee DOT com> on Thursday January 24, 2008 @06:05AM (#22164862) Homepage
          Backwards compatibility going out the window is actually a good thing...
          Microsoft never had a proper overall design for windows, and it shows... Early versions were simply hacked together in completely haphazard ways, things were built quickly with no forethought. As a consequence, there is lots of kludgy legacy code kept around for backwards compatibility, including many duplications where an old method was considered fundamentally flawed and unfixable, and discouraged from being used by new apps, but is still kept round for backwards compatibility, one such example is the lanman password hashing.

          If they completely ditch backwards compatibility, they could remove all this old cruft and start again with a proper clean design, but as usual they're taking a half-assed poorly thought out approach.
          • by vtcodger ( 957785 ) on Thursday January 24, 2008 @08:11AM (#22165286)
            ***If they completely ditch backwards compatibility, they could remove all this old cruft and start again with a proper clean design, but as usual they're taking a half-assed poorly thought out approach.***

            At the risk of pointing out the obvious, if Microsoft abandoned backward compatibility, they'd lose most corporate users and many home users as well. You don't need an MBA to see why that is not a promising idea.

            About the best they can do is what they did with NT. Jack the whole unwholsome mess up, and insert a new frame and engine under it. They did that with NT without all that much success. (Windows 95 runs about as well with far fewer resources if you don't mind a crash every few weeks). I suppose they can try again, but I doubt the results will be any better.

            Maybe the idea would be more appealing if there were a "clean" design out there that was actually any better than NT, Unix, OsX. But I don't think there is. AFAICS, for several decades, OS design has consisted of shuffling the subsystems of a 1960s mainframe into slightly different configurations and slapping a shell on it. It's not that I can do better. I can't. Maybe NT, Linux, Vista really are the best we can do. That's a depressing thought.

            • Re: (Score:3, Insightful)

              by petermgreen ( 876956 )
              They did that with NT without all that much success. (Windows 95 runs about as well with far fewer resources if you don't mind a crash every few weeks).
              It doesn't, on 9x try making the taskbar a couple of rows high and opening browser windows until it's full with small icons, you will notice things start falling over. Now try doing the same on a NT based version, no problem. Also 9x has absoloutely no concept of user permissions, every user is essentially god.

              The real problem that MS is still trying to find
            • by Just Some Guy ( 3352 ) <kirk+slashdot@strauser.com> on Thursday January 24, 2008 @11:28AM (#22167466) Homepage Journal

              At the risk of pointing out the obvious, if Microsoft abandoned backward compatibility, they'd lose most corporate users and many home users as well. You don't need an MBA to see why that is not a promising idea.

              Or why not take the Mac approach: run win32 apps inside a "Classic" mode that's really an XP installation. MS already owns VirtualPC so they could embed a copy inside Vista without being dependent on a third party. Then they could have Vista as clean and slim and legacy-free as they wish without affecting old apps at all. State from the beginning that they'll support "Windows Classic" for, say, 5 years and then be done with it.

              Similarly (and much more impressively), IBM has managed nearly perfect backward compatibility [wikipedia.org] alongside new systems for over 40 years. Why can't Microsoft?

    • mod parent up (Score:5, Insightful)

      by mattwarden ( 699984 ) on Thursday January 24, 2008 @01:53AM (#22163708)
      Parent has it exactly right. This is likely another statistical half-truth. Tell us % of users reporting flaws and let's compare that to XP's first year.
    • All this means is that there will be a really big patch tomorrow.
    • by Anonymous Coward on Thursday January 24, 2008 @02:07AM (#22163802)
      Time for a game of /. Confession...

      I've been using Vista x64 for about two months now on a Dell m1330 with 4GB of RAM. There's more NON-security bugs than I could shake a stick at. Bluetooth has multiple "Hi, I've stopped working and you're screwed till a reboot" bugs, and they seem largely related to a bigger bug Vista has in failing to handle shutting drivers down when suspending in such a way that they wake up when you wake up the laptop. So it occasionally affects LAN, Wifi, etc...

      The interface has more glitches than I can count, Aero is TREMENDOUSLY slow compared to the usual 2D accelerated display (a disappointment since compiz is FASTER than 2D acceleration), and these are just the issues I can remember. I know I've hit more, but I can't recall them right now. I've not gone looking for security bugs, but I'd bed the only "security" part that's near bug free is the one that handles the DRM and anti-piracy functions. I've no doubt from the rest of the experience that the part that secures me and my data is full of holes.

      I'm actually kinda worried what will pop up once they start getting more users on it after SP1 comes out. Good thing I never use IE, refuse to use Outlook, and never directly connect to the internet with Windows. ;-)
      • by techno-vampire ( 666512 ) on Thursday January 24, 2008 @02:20AM (#22163894) Homepage
        It's not just Bluetooth that dies. I have a friend with a large LAN at home. One (and only one) of the machines has Windows iCandy on it. It occasionally decides that one of the other machines has dropped off the LAN even though all other machines can see it and connect to it. When that happens, the only recourse is a reboot. Not only that, it will sometimes "decide" that it can't connect to another machine until a reboot even though it admits it's there. Weird, really, but there it is.
      • When I was using Vista I remembered the graphics engine being somewhat snappier then XP--- (I noticed it the most when I switched back to XP) but in all fairness I also have a 8600 GT in this machine, so if it can't fully take advantage of a DX10 card...
      • Re: (Score:3, Insightful)

        If you want to fix the resume bug for your hardware, disable the power off of the given device in power management.
        • by Andrzej Sawicki ( 921100 ) <ansaw@poczta.onet.pl> on Thursday January 24, 2008 @04:34AM (#22164526)
          That's not a fix, that's workaround. The functionality remains broken, no?
        • Re: (Score:3, Informative)

          by fishyfool ( 854019 )
          Doesn't work. I've been having difficulty with wireless usb lan devices. I turn off the power management, and they still lose connection. but only when the user is logged off for ten minutes or more. when they log back on, the network refuses to reconnect. you must either reboot, or physically disconnect the usb lan device and then reconnect it. plugging the lan device into a powered usb hub doesn't help. I tried the hotfix for this issue, but no joy. the only fix that works is to not log off the machine
    • Re: (Score:2, Informative)

      by murrdpirate ( 944127 )
      Although Vista is doing comparatively worse than XP due to the fivefold increase in PC sales between their respective first years, the total Vista sales are higher, so there should be more people finding flaws. Unless that many people buy a preloaded vista PC and upgrade to XP....
    • by I'm Don Giovanni ( 598558 ) on Thursday January 24, 2008 @02:38AM (#22163998)
      Two points here:
      1. Slashdotters have maintained for years that userbase size has(almost) no relation to the number of exploits an OS gets. MS fanboys would claim that OSX and Linux had fewer exploits because they had a much smaller userbase, and they'd be ripped to shreds by slashdotters that would accuse them of engaging in logical fallacy. Your statement that Vista has fewer flaws because it has fewer users goes directly against long held slashdot doctrine. And yet other slashdotters appear to be agreeing with you, which raises the question of just how closely slashdotters held that doctrine. Seems it was only a closely held belief when needed to defend OSX and Linux from MS fanboys.

      2. Your premise is wrong anyway. The report says that Vista has fewer flaws in its first year than did XP, some version of Red Hat, and OSX 10.4 did in their first years (and it's not even close). But Vista actually has MORE users in its first year than all of those OSes did in their first years (and has more users than OSX and Red Hat, period). XP had a greater userbase percentage in its first year, but fewer actual users because the number of computers was 5 times smaller back when XP was released.

      Incidentally, Here are some Dec 2007 OS userbase share stats according to web hits [hitslink.com]:
      XP: 76.9%
      Vista: 10.5%
      OSX: 7.3%
      Linux: 0.6%
      • by 1u3hr ( 530656 ) on Thursday January 24, 2008 @04:29AM (#22164508)
        Slashdotters have maintained for years ....

        Some people have posted this on Slashdot. To maintain that there is a single "Slashdotter" point of view is just a straw man. For ANY point of view you can find hundreds of posts by "Slashdotters" supporting OR contradicting it.

        MY PERSONAL point of view is that the statistics presented are suspicious. Previous MS press releases (aka "independent reports") have counted the same error multiple time, have counted bugs in applications bundled with Linux against OS bugs in Windows, etc.

      • by Chrisje ( 471362 ) on Thursday January 24, 2008 @07:18AM (#22165116)
        Congratulations on not being a bigot and actually thinking about what you write. In the tiresome ocean of "Of course, Vista don't have any users" comments, "You can't trust statisticz" comments, "Microsoft is comparing Apples (no pun intended) to Oranges" comments and the obligatory "Linux has more code" remark, your balanced appraisal of the situation is refreshing.

        It's a shame that I haven't bothered to find out how the moderation system works yet, otherwise my praise to you, Sir, would be in hard karma currency.
      • by catwh0re ( 540371 ) on Thursday January 24, 2008 @07:51AM (#22165200)
        Let's look at linux, OSX and a few of the other open source based operating systems. All of these systems share a bit of code. So when a bug is found, it's a plus 1 for each of these operating systems. Bugs are found because between all of these operating systems, there is quite a high aggregate number of users(it's pretty stupid to count them as completely separate install bases) - many of these users fit well into the venn diagram for: IT informed & technical persons who are able to find such flaws and bugs in software.

        This contrasts significantly with the majority Windows user base, most people are first greeted by Windows because their computer came with it pre-installed.. They generally don't know much about programming and certainly aren't responsible for programming the operating system they're using. They buy software which they learn just well enough to get by; But there are also many Windows users who are quite savvy.. and many of those have downgraded to the arguably more suitable Windows XP OS.

        So even though Microsoft can easily cook the numbers. Let's look at a few more realities. In the world of open source, there is no hiding your vulnerability tally - because everyone sees the code and can check it. There is no such thing as the creative multiple patching of entire subsystems which are counted as a sole vulnerability. Which is very easy to do when you hide your source code from the public.

        Microsoft is a company who has a real marketing benefit for showing (read: or pretending) that the overall number of vulnerabilities is lower over the first year. When this creative-counting is already under scrutiny, as there is no held standard for counting vulnerabilities and there is especially no transparency in how Microsoft validate what is a serious vulnerability and what is not.

        Now since Windows recycles so much code, you can also argue that of course Vista would have less vulnerabilities than XP, after all the entry-level security bugs should all be caught by now, with only newer features having the baptism of fire. This is why userbase makes a difference.

        Also webhit tallies from a particular research service provider are useless, as linux machines tend to power the web - and not surf it. (When you're powering a website, e.g. banking, you are more concerned about vulnerabilities than say a mother who just bought her family a computer. So in this example - coders are actively looking for bugs, go figure they find more - that's what happens when you look for something.)

        Finally slashdotters do argue that exploits are targetted at larger OS market shares (naturally they want the largest possible penetration.) They don't however say that the bug count is similarly controlled: Bugs found = number of unfound bugs * proficiency of the people looking for them.

        Also your figures for computer adoption are incorrectly used. (as was most of your data - you tend to convey more from the data than what it factually states.)

  • by Anonymous Coward
    No users == no problems
  • by Nefarious Wheel ( 628136 ) * on Thursday January 24, 2008 @01:49AM (#22163666) Journal
    Is this via support calls or just little modal dialog boxes that people are tired of clicking "send" on? Or are they filtering out things they've already encountered in XP? Statistics are a great aid to the common lie.
  • by ameyer17 ( 935373 ) <slashdot@ameyer17.com> on Thursday January 24, 2008 @01:50AM (#22163674) Homepage
    Most Linux distros have a lot more software and contain more lines of code than Windows. Therefore, you'd expect more flaws in something like Ubuntu or RHEL.
    • I definitely didn't believe your statistics (not being much of a kernel coder), but Wikipedia tends to back you up: http://en.wikipedia.org/wiki/Source_lines_of_code [wikipedia.org].

          Thanks! I learned something.
      • by djcapelis ( 587616 ) on Thursday January 24, 2008 @02:33AM (#22163954) Homepage
        I think the GP wasn't talking about the kernels. Linux distros simply distribute much much more software than comes with your average proprietary OS.

        Most will issue a security advisory when there's a bug in apache, mysql, postgres, sqlite or all of these types of things. Microsoft doesn't issue an advisory about a bug in Oracle. On Linux, the distros take responsibility for a much much wider range of software than Microsoft does on their platforms.
      • by SmallFurryCreature ( 593017 ) on Thursday January 24, 2008 @05:21AM (#22164714) Journal

        Where are you drivers in linux? Where do you download them? Why you don't, they are IN THE KERNEL!

        So Linux "The kernel" does a lot more then MS does with its core OS because MS still asks you to download a ton of drivers. This is part of their strategy, it allows them to shift blame to the driver instead of their OS. If you really got a problem with MS software and actually have some support (check your MS license, you pay for the software, there is no support) then your first job will be to convince them the bug lies with them and not some combo of drivers that you had to install.

        That is why these MS reports are so silly, you really can't compare the two "distro's". MS Vista does far less then a Linux based distro like Ubuntu BUT they don't have a bare kernel they distribute but even if it did it does far less then the linux kernel.

        So what are you comparing?

        Also not that security bugs in Vista affect EVERY vista user because all the installs are the same. A linux distro bug in PHP affects only those who use PHP on their linux distro. MS funded research has in the past made lists of security bugs in linux where they counted the same bug multiple times for each distro it was in. That is kinda like saying "Just look at our competitors cars, they made 1 million of them and 1000 of them had the same fault. Meanwhile our 1 model has just one fault, the brakes don't work. We are BEST!"

        MS, FUD at its best.

    • by tsotha ( 720379 )
      That's true, but it's hardly a defense of Linux distros. More lines of code doesn't imply better by any means.
      • by Rakishi ( 759894 )
        Well while it'd be nice if the 10000+ packages (which include everything except for the kitchen sink) that make up a full debian install had fewer lines of code than a kernel, windows environment and some light apps it's not easy to do.
      • by riseoftheindividual ( 1214958 ) on Thursday January 24, 2008 @03:42AM (#22164278) Homepage
        Don't change the subject, he didn't say better. And as far as a defense, it's not, it's an explanation. When microsoft ships with several different database packages, several different browsers, several different desktop environments, several different office suites, a crapload of various network tools, applications, etc... that a typical linux distro ships with, and manages to pull off less bugs, then they can use such comparisons to prove something. Until then, it's like comparing the number of problems found in a storage shed to a skyscraper, and using that comparison to try to argue that the shed is better since it had less reported problems.
        • Re: (Score:3, Informative)

          by tsotha ( 720379 )
          The author of the article was making a kernel-to-kernel comparison. If the Linux kernel contains more lines of code, it probably contains more bugs. But that doesn't mean it should contain more lines of code.
    • by FurryWhale ( 1193405 ) on Thursday January 24, 2008 @03:21AM (#22164174)

      Most Linux distros have a lot more software and contain more lines of code than Windows. Therefore, you'd expect more flaws in something like Ubuntu or RHEL.

      The report is available here [technet.com], and states that the comparison specifically excludes components from Red Hat such as server components, gimp, OpenOffice, etc:

      Red Hat and other Linux distribution vendors add value to their workstation distributions by including and supporting many applications that don't have a comparable component on a Microsoft Windows operating system. It is a common objection to any Windows and Linux comparison that counting the "optional" applications against the Linux distribution is unfair, so I've completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS. In short, I install a rhel4ws computer and: I excluded any component that is not installed by default, which includes all optional "server" components that ship with rhel4ws. I additionally excluded text-internet, graphics (the gimp stuff) and office (OpenOffice) and Development Tools (gcc, etc) installation groups. I used the rpm command to list out all packages that get installed and used that package list to filter vulnerabilities for inclusion. This process results in a Gnome-windows workstation that includes standard system management tools, Firefox for browsing, sound and video support, but excludes all server packages, as well as OpenOffice and other optional stuff that a Windows system wouldn't have by default.

      It'd be nice if it listed the exact components installed on Red Hat, but at least it attempts to cull the component set to something more reasonable for comparison.

  • by gardyloo ( 512791 ) on Thursday January 24, 2008 @01:52AM (#22163694)

    Fewer vulnerabilities "make it easier to manage risk," [Jones] says. "All other things being equal, fewer patches mean more time to spend on other security projects to reduce risk."
    Wow. The one guy who currently handles the code for Windows security must be quite relieved to hear that!
  • by Niten ( 201835 ) on Thursday January 24, 2008 @01:54AM (#22163710)

    For the last time, you just can't add up the number of vulnerabilities in separate products from different authors and expect to glean any meaningful information from numerology thereon. This is especially true when contrasting one closed-source product from a vendor with questionable security reporting practices (say, Windows), and an open-source product where every single flaw of any level of significance is public knowledge (say, Ubuntu Linux).

    I'm tired of seeing such claims about vulnerability tallies parroted in Slashdot summaries without the least bit of skepticism regarding their relevance. This sort of thing has already been debunked a million times over on this site. Come on, editors, a little quality control would be nice...

  • by rubicon7 ( 51782 ) on Thursday January 24, 2008 @01:54AM (#22163712)
    - because it seems nobody's actually using it.

    In related news, BeOS showed few vulnerabilities this year...
  • by Zymergy ( 803632 ) * on Thursday January 24, 2008 @01:55AM (#22163718)
    Could the reason there are fewer exploits in the first year of Vista (Verses XP) be due to the fact that it has a reluctant adoption rate bu users and the OS exploiters are likely focusing their efforts on current Operating Systems that are more stable, known, and in higher use.
    Give it time...
    Besides, now that Microsoft has set 2009 for the new "Windows 7" release target date, it seems that Vista may be the new short-lived 'Windows Me'.
    • Your argument fails. The number of exploits does not depend on the number of computers running it. It depends on the number of flaws that can be exploited.
  • by edwardpickman ( 965122 ) on Thursday January 24, 2008 @01:56AM (#22163732)
    Click to launch Word.


    Copy file


    Launch Firefox


    Verdict OS completely secure.
  • by Angst Badger ( 8636 ) on Thursday January 24, 2008 @01:57AM (#22163746)
    ...after all, any operating system that is basically unusable is going to have fewer vulnerabilities as a matter of course.
  • by EEPROMS ( 889169 )
    Boeing has said it's latest jet liner crashes less and Ford has made a car that kills fewer drivers.
  • How does that old quote go?
    "There are 3 kinds of lies: lies, damned lies and Microsoft PR"
    Or something along those lines...
  • How was XP's install base after a year? Is Vista even comparable now to what XP was doing a year after its release? I swear I'm not trying to troll here, I honestly don't have figures to back this up. However, in my (admittedly) anecdotal experience, neither I nor my other geeky friends were strongly recommending that any new shoppers stick with Win98. The manufacturers are still shipping new machines with XP, and the impression I'm getting is they'd like to keep doing so as long as possible.


    • by dbIII ( 701233 )
      I was convinced at the time rightly or wrongly that XP was complete crap proir to SP2 and was certainly not alone. I did quite a few win2k installs at that time and a few since on low memory machines. Server 2003 was impressive on the machine I ran it on as well - I'm not entirely sure why XP and vista comes across as the hobby systems you have to pay for.
  • Perspective (Score:2, Flamebait)

    As long as most of the flaws in VISTA are still being counted as features (DRM anybody?), they can basically claim it's a zero-flaw system.
  • by arotenbe ( 1203922 ) on Thursday January 24, 2008 @02:08AM (#22163808) Journal
    I think that is a silly measure of bugginess. Not only does the number of flaws reported being less reflect lower usage of Vista, it also likely says the the reporting system is difficult to work with. If anything, I think the fact that the non-Windows systems have a higher number of flaws reported indicates that they have easier-to-use bug reporting systems. The correct way to measure statistics on things like this is either to have a third party subject them to a standardized battery of tests (indicating actual security levels) or to measure the ratio of bugs fixed to total bugs reported (indicating the development team's ability to correct reported flaws quickly).
  • most flaws you could drive a fleet of semi's though.

    someone needs to come up with a metric of flaw exposure per unit time.
  • ...those in Vista are defined as "features" - mystery solved.
  • Bravo! (Score:3, Interesting)

    by Plutonite ( 999141 ) on Thursday January 24, 2008 @02:16AM (#22163856)
    Remember ladies, this is what George W. Bush's go-away speech is going to be like. Don't be too scathing. Let them have their moment.

    Windows 7 announcement in 3..2..1
  • by LingNoi ( 1066278 ) on Thursday January 24, 2008 @02:24AM (#22163916)
    From the PDF [technet.com]

    Page 12 - Windows Vista Fixed 36 vulnerabilities
    Page 14 - Ubuntu fixed 406 vulnerabilities affecting Ubuntu 6.06 LTS.

    Look how many vista have left to find!!
  • Statistics (Score:5, Insightful)

    by wannabgeek ( 323414 ) on Thursday January 24, 2008 @02:26AM (#22163920) Journal
    Reminds me of a quote - "Statistics are like humans. Torture them enough and you can make them admit anything you want".
  • by ryanisflyboy ( 202507 ) * on Thursday January 24, 2008 @02:34AM (#22163958) Homepage Journal
    You know it's bad when not even the script kiddies wanna get their paws on it.
  • Personally (Score:2, Funny)

    by maroberts ( 15852 )
    I'm not giving Vista flaw space.
  • Nobody uses Vista? (Score:4, Interesting)

    by Coolhand2120 ( 1001761 ) on Thursday January 24, 2008 @02:42AM (#22164022)
    SO. Nobody uses Vista in comparison to OS X or Linux? ouch [hitslink.com], looks like a whole magnitude of people use Vista over OS X or Linux. According to this link, if you took all the Linux and Apple users and put them into a single group, it STILL wouldn't be as many people who are using Vista by a good size chunk (let alone XP), so let's not repeat that lie again.

    I don't mind people being critical of anything, but please be honest in your critique. And whatever you do don't use Apple as an example of "the way things should be".

    I'm sure this will be tagged flamebait or troll. That's kind of ironic when I'm replying to all these guy's tagged 'informative' who say "Nobody uses Vista" when they are obviously providing false information. If pointing out a blatant lie makes me a troll so be it.
  • I tend to file "design flaws" as bugs at work. I guess they aren't bugs here. At least they aren't a security threat, so that's something at least.

    Linux has the better bug-per-dollar ratio.
  • My copy of XP has been humming along nicely ever since Vista's release. Bravo!
  • This is why I why I resist the notion that there are too many smart people over at MS. They routinely use the idea that number of flaws in their OS being less than number flaws in an entire linux distribution is somehow a sensible metric. How does someone even type that out? I mean... where's the pride in what you do?
  • Only 1 Flaw (Score:5, Funny)

    by Barumpus ( 145412 ) on Thursday January 24, 2008 @04:25AM (#22164482)
    And that 1 flaw was actually putting Vista on the market.
  • by pc486 ( 86611 ) on Thursday January 24, 2008 @04:31AM (#22164520) Homepage
    From Jeff Jones' report:

    Q: Linux distros contain many more optional applications than Windows - that is Apples and Oranges - how can any comparison be valid?

    Actually, Windows Vista and Windows XP have different components too. Windows Vista Ultimate includes Media Center for example, which was not in Windows XP Professional. From a user perspective, I think it is Apples and Apples. Whichever OS is chosen, I believe most people will install the default set of components and use that. If vulnerabilities are in those components, they will be exposed and need to take mitigating action.

    I did, however, try to even the playing field as much as possible by excluding optional Linux-distro components and excluding even some default components for which there is no obvious counterpart. In contrast, on the Windows analysis, I included any component that shipped with the product. I think the comparison is valid and useful.

    From my basic CentOS 4 system:
    $ rpm -q -a | wc -l

    Even on a (stupid) vulnerability count, even with a reduced package setup, the number of packages on a RHEL/CentOS system dwarfs the number of programs that come with Windows. You can't even compare against Jeff's Windows numbers because he looks into how critical each vulnerability is on Windows (good) but not on any Linux setup (bad). If the real concern is user exposure, then vulnerabilities in all packages makes sense, but only if you count vulnerabilities in common Windows packages to, like Acrobat Reader, Photoshop, Office, and even games like WoW.

    My biggest beef is that Jeff fails to include his compiled vulnerability database. Even though he writes on his methodology and sources, there is no way to easily verify his claims. This is the 21st century and there's something called the Internet. There's no excuse to not provide the raw data, and I certainly don't have enough interest to make guesses and recreate the data for such a flawed analysis anyway.

    Next time at least provide a list of analyzed RPMs and DEBs!
  • by Facegarden ( 967477 ) on Thursday January 24, 2008 @05:45AM (#22164810)
    Fewest vulnerabilities doesn't mean it has the fewest flaws... Freezing, poor driver support, poor program support, these things are flaws, yet have nothing to do with security vulnerabilities. I love vista, i've run it since the betas and run a legal copy of ultimate that i paid for with my own money, and i've been able to generally make stuff work, but having to use workarounds to make stuff work is a flaw, in my opinion, and having good security is nice, but not if a bunch of stuff i've used for years doesn't work. I want to be an MS fanboy but i can't. I use vista at home because i can deal with it's shit, but i buy a new computer at the office, i make sure it has XP, because reliability is king at work. Lack of a reliability is too big of a deal to leave it out of the category of "flaws"... -Taylor
  • by Bert64 ( 520050 ) <bert AT slashdot DOT firenzee DOT com> on Thursday January 24, 2008 @05:54AM (#22164838) Homepage
    Again, a ridiculous comparison based on reported security holes...

    Microsoft are in the best position to find holes in vista, having the source code. They have no incentive to report them, and will just fix them silently. OSX is in the same boat but to a lesser degree, and with ubuntu/redhat all the issues will make it into the public domain. The only vista issues which make it public, are ones discovered by third parties, which are probably less than the number found internally because internal developers have access to the source, access to the original devs and a more intimate knowledge of the inner workings.

    Then you have to consider functionality, vista comes with one web fairly old web browser, one mail client, a rudimentary text editor, a single-protocol im client, a trivial drawing program, a simple media player with a small number of codecs and a few very simple games... Ubuntu/RHEL come with multi protocol im clients, a full office suite, a larger number of slightly less simple games, a larger and more capable set of networking tools, scanner software, fully capable drawing software, a much larger set of hardware drivers bundled by default, and lots more besides...

    It's like trying to compare the rudimentary "peoples cars" produced in the former USSR, with only rudimentary features and a largely hidden safety record, to the luxury cars being produced in the west around the same time... Try comparing a Zaporozhet to something like an E-type Jaguar.
  • Ahhh, bias... (Score:4, Interesting)

    by pjr.cc ( 760528 ) on Thursday January 24, 2008 @07:05AM (#22165088)
    I love the way the MS supporters will set there and bang on about how the linux supporters are all biased, fanatics. So again we get to see MS doing what they do best, FUD and dis-information and Jeff Jones has to be one of MS's best trained maniacs in this area. And you CANT argue that vista has no users "so no bugs", cause vista probably has more then linux and MAC combined.

    Vista may be more secure than XP, thats a certainty, but Jeff Jones has proven himself time and again to be completely willing to sacrifice his credability - so how can you believe a man like that?
  • by Tom ( 822 ) on Thursday January 24, 2008 @09:29AM (#22165750) Homepage Journal
    Statistics lie for whoever pays them.

    There are many more interesting numbers than such a simple count. For example, as a user, I don't care at all for the number of fixed bugs, I care a lot more about the number of unfixed bugs.

    And that's just the tip of the iceberg.
  • by kalirion ( 728907 ) on Thursday January 24, 2008 @10:50AM (#22166772)
    Bricks have few vulnerabilities too.

e-credibility: the non-guaranteeable likelihood that the electronic data you're seeing is genuine rather than somebody's made-up crap. - Karl Lehenbauer