On GameSpot: $299 PS3 Slim and price cut announced!
BNET Business Network:
BNET
TechRepublic
ZDNet

August 18th, 2009

XP, Vista, or Windows 7: Which OS is more secure?

Posted by Ed Bott @ 9:01 pm

Categories: Security, Windows 7, Windows Vista, Windows XP

Tags: Operating System, Patch Management, Microsoft Windows Vista, Critical, Security Bulletin MS09-032, Microsoft Windows, Microsoft Windows Vista (Longhorn), Microsoft Windows 7, Microsoft Windows XP, Operating Systems

Over the past couple years, I’ve been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. (To catch up with previous installments, see October 2007, “One year later, Vista really is more secure,” and July 2008, “21 months later, Vista is still more secure than XP.”)

My metric is a simple but effective one: count the number of Microsoft Security Bulletins rated Critical or Important for different Windows versions over time. In both previous installments, Vista had a significant edge edge over XP, with far fewer updates required. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it’s been released to manufacturing?

The answer to both questions is yes.

It’s far too early to make definitive judgments about the relative security of Windows 7, but Microsoft’s shiny new OS had a banner first month. A total of eight Microsoft security bulletins were aimed at various Windows versions. Three of them were rated Critical for both Windows XP and Windows Vista, even with the most recent service packs. Another two security updates were rated Important for Windows XP and Moderate for Windows Vista.

But for all eight of the August 2009 security updates, Windows 7 and Windows Server 2008 R2 were listed under the Non-Affected Software heading. Not a single one of those security holes required patching in the new OS.

That’s the same pattern that Windows Vista established when it was new. And Vista has maintained its safer-than-thou reputation in the past year. I went through every single security bulletin Microsoft published for the past 12 months, from September 2008 through August 2009. The totals?

Windows XP: 22 Critical, 16 Important

Windows Vista: 18 Critical, 11 Important

That’s a 24% reduction in the number of patches rated Critical or Important—the kind that typically involve remote code execution or escalation of privileges. Or, to put it another way, that’s 3.2 patches per month for XP and 2.4 patches for Vista. (And the next time someone complains about the number of patches they have to install for Windows, be sure to show them that number: 2.4 patches per month, delivered automatically on the first Tuesday of each month, isn’t exactly overwhelming.)

So what’s the difference? Security Bulletin MS09-032 is typical:

This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. … 

This security update is rated Critical for all supported editions of Windows XP….

That vulnerability doesn’t exist in Windows Vista or in Windows 7. And both of those newer operating systems have an additional advantage. As the bulletin notes: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.” That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working.

Ed BottEd Bott is an award-winning technology writer with more than two decades' experience writing for mainstream media outlets and online publications. See his full profile and disclosure of his industry affiliations.

Email Ed Bott

Subscribe to Ed Bott's Microsoft Report via Email alerts or RSS.

  • Talkback
  • Most Recent of 250 Talkback(s)
Look at point #3...
for the "thin-client" latency problem. Actually todays hardware infrastructure has made the word, obsolete!... (Read the rest)
Posted by: JCitizen Posted on: 09/26/09 You are currently: a Guest | | Terms of Use
RE: XP, Vista, or Windows 7: Which OS is more secure?  SomeCritic | 08/18/09
ok, right  ozguy | 08/18/09
Actually...  914four | 08/20/09
Seriously?  alkanshel | 08/19/09
Solaris 10  914four | 08/20/09
Drive encryption.  CobraA1 | 08/20/09
Easier Way  Boykin01 | 08/19/09
Or boot from a flash drive  alkanshel | 08/19/09
That's not proof  beoz | 08/19/09
Actually...  keoz | 08/19/09
Trolling again Ed???  Mark Grobler | 08/19/09
Seems it takes very little  JasonJD48 | 08/20/09
That is GOD'S OWN TRUTH!!!  nbahn | 08/21/09
For the record...  JasonJD48 | 08/22/09
Oh, please . . .  CobraA1 | 08/20/09
Without reading the article first:  NStalnecker | 08/18/09
Reasonable metric?  rgod8855 | 08/18/09
Apples and Oranges  zenwalker | 08/19/09
Re: Reasonable metric  Railroad Buff | 08/19/09
Not so  Ed BottZDNet Moderator | 08/19/09
Re: Reasonable metric  Railroad Buff | 08/19/09
I'm happy with my methodology, thanks  Ed BottZDNet Moderator | 08/19/09
Yeah, right!  tealcat | 08/19/09
Most Insecure?  sirpaul1 | 08/19/09
I hesitate to call you a liar BUT...  nbahn | 08/19/09
Reasonable metric?  pseudoperson | 08/19/09
Wrong metric  Mikael_z | 08/20/09
Well  mtgarden | 08/20/09
Just who's the oxy-(MORON)?  kaninelupus | 08/21/09
Probably  CobraA1 | 08/20/09
FUD galore  AldoWatts | 09/01/09
easy question  tech_walker | 08/18/09
Additionally...  jamesrayg | 08/19/09
agreed  shellcodes_coder | 08/19/09
Perhaps true,  pseudoperson | 08/19/09
You can hide users in Vista/7  JasonJD48 | 08/19/09
Interesting...  pseudoperson | 08/20/09
RE: Interesting  JasonJD48 | 08/20/09
one way... (VHP = Vista Home Prem)  pseudoperson | 08/20/09
I tried that  JasonJD48 | 08/20/09
Of course...  keoz | 08/19/09
I'm afraid that I don't follow you.  nbahn | 08/20/09
Uh...  jamesrayg | 08/20/09
I'll explain  kaninelupus | 08/21/09
@jamesrayg & kaninelupus--Thanks for your replies; I now understand. (N/T)  nbahn | 08/21/09
For me it's Windows 7 or bust!  GoodThings2Life | 08/19/09
Win7 or bust!  gavin142 | 08/20/09
The one with intelligent users  Boot_Agnostic | 08/19/09
Excellent point. nt  ye | 08/19/09
The difference is  frgough | 08/19/09
The difference  beoz | 08/19/09
I'm not an MSCE and I...  JasonJD48 | 08/19/09
The biggest single threat  gavin142 | 08/20/09
Agreed  JasonJD48 | 08/20/09
Here's A Source For A Similar Quote  nbahn | 08/21/09
AMEN to that!!  kaninelupus | 08/21/09
Thats because  The 'G-Man.' | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  Loverock Davidson | 08/19/09
No takers.  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
Taker...  Viva la crank dodo | 08/19/09
I found most viruses/malware on my network  JasonJD48 | 08/19/09
Hey moderators, in your zeal to delete posts...  NonZealot | 08/19/09
Actually... (I stand corrected; Good work moderators)  Viva la crank dodo | 08/19/09
No bias, just humans trying to do a good job  Ed BottZDNet Moderator | 08/19/09
Thank you Ed and your moderators...  JCitizen | 08/19/09
JCitizen, I agree with your sentiments.....  nbahn | 08/19/09
Glad to see you here on ZDNet..  JCitizen | 08/20/09
I feel the same way, except  JasonJD48 | 08/20/09
Fair enough  Viva la crank dodo | 08/21/09
I can only say this in response.....  nbahn | 08/21/09
nbahn  JasonJD48 | 08/21/09
Thanks...  Viva la crank dodo | 08/19/09
Ed, I'd just like to give a word of thanks to the moderator(s). (N/T)  nbahn | 08/19/09
Just a question though....  kaninelupus | 08/21/09
I was  Viva la crank dodo | 08/21/09
Yeah I wouldn't mind it being deleted.  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
HA! I know what you mean there! laugh ...(nt)  JCitizen | 08/19/09
It's getting to be a little too much.  ye | 08/20/09
trouble is  kaninelupus | 08/21/09
I understand this.  ye | 08/21/09
I Agree (Respecfully, Of Course) (N/T)  nbahn | 08/21/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  pcs800@... | 08/19/09
lol  keoz | 08/19/09
Huhhh??  kaninelupus | 08/21/09
Don't make your life so hard  mswift@... | 09/24/09
Actually, there was a Windows 7 patch  JazzGuyy | 08/19/09
Patch for Win7 RC, NOT Win7 final!  ep-man | 08/21/09
Security Depends on the User  wwgorman | 08/19/09
You can't seriously believe this....  heppy_@... | 08/19/09
Silly Metric  davidhayes | 08/19/09
This is laughable  payton@... | 08/19/09
WOW! I must have missed something...  pseudoperson | 08/19/09
XP had an achilles heel  kaninelupus | 08/21/09
WOW!  Jeremy W | 08/19/09
Careful, Jeremy  Ed BottZDNet Moderator | 08/19/09
Bring 'em on, Ed!  Dietrich T. Schmitz | 08/19/09
Would you believe... I agree?  vulpine@... | 08/19/09
Yeah I want to see them.  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
Go ahead, post them...  Jeremy W | 08/20/09
*facepalm*  Sleeper Service | 08/20/09
At the risk of once again..  JCitizen | 08/22/09
I have the numbers for Apple here if you want to see them.  Jeremy W | 08/22/09
Staggering numbers  Ed BottZDNet Moderator | 08/22/09
So...  Jeremy W | 08/25/09
Monopoly-they have no alternative  otaddy | 08/19/09
Yeah, I don't see a monopoly either  beoz | 08/19/09
Sure...  UAC nanny screen | 08/20/09
There's no barrier to entry  beoz | 08/20/09
Time to revisit that...  UAC nanny screen | 08/21/09
The alternatives  JasonJD48 | 08/19/09
I can't believe you said that!  nbahn | 08/20/09
Was aware...  JasonJD48 | 08/20/09
Point Taken -- Buuuuuut.....  nbahn | 08/22/09
Ok  JasonJD48 | 08/22/09
@jason...  JCitizen | 08/22/09
Not when you walk into BestBuy you don't...  UAC nanny screen | 08/20/09
By the same token ... walk into an Apple store ...  de-void | 08/20/09
As I said before...  UAC nanny screen | 08/20/09
Reply's above  beoz | 08/20/09
And I won't double post except ...  UAC nanny screen | 08/21/09
Best Buy sells Macs.  Sleeper Service | 08/20/09
Who says you have to buy from Best Buy?  otaddy | 08/20/09
You don't  UAC nanny screen | 08/20/09
And since they sell Macs...  Sleeper Service | 08/21/09
No it's not  UAC nanny screen | 08/21/09
gimme a break!  kaninelupus | 08/21/09
NOT A GOOD YARD STICK  dobick@... | 08/19/09
What are you talking about?  payton@... | 08/19/09
..talking about?  pseudoperson | 08/19/09
You're confused.  Lester Young | 08/19/09
20% market share?  pseudoperson | 08/19/09
The stats he refers to...  Sleeper Service | 08/20/09
Its a solid metric from one perspective.  JasonJD48 | 08/22/09
skewed  dobick@... | 08/19/09
Yep  dobick@... | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  rick@... | 08/19/09
It's good healthy open discusion....  pseudoperson | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  RichardES | 08/19/09
More use XP, less use Vista  D2 Ultima | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  cosuna | 08/19/09
See previous response to dobci@  Lester Young | 08/19/09
Hmmm...  voldar | 08/19/09
The Stupid User  erikswanson | 08/19/09
Those users  voldar | 08/21/09
I'd disagree...  pseudoperson | 08/19/09
lol  keoz | 08/19/09
Your security metric is lacking market share  Li1t | 08/19/09
Another confused one.  Lester Young | 08/19/09
hmmmm.....  pseudoperson | 08/19/09
depends on how many people want to jump up and down on it  FriBaby | 08/19/09
7  ardentmoth | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  cfrobw | 08/19/09
Compared to XP anything looks good  stenman@... | 08/19/09
The vulns of Vista, OSX and Linux......  Lester Young | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  vulpine@... | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  dch1969 | 08/19/09
Trick question?  Tom6 | 08/19/09
See previous comment.  Lester Young | 08/19/09
There you go again, Ed...  WAB6 | 08/19/09
Answer:  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
No it's not  D2 Ultima | 08/19/09
Very insightful post. Thanks.  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
actually  keoz | 08/19/09
Interesting  JasonJD48 | 08/19/09
hammer and a nail?  pseudoperson | 08/19/09
Bill, may I ask why  voldar | 08/19/09
You've never had to help an "average" user with a problem...  D2 Ultima | 08/19/09
In fact I do  voldar | 08/19/09
Since user training not a cost to consider...  gkp00co | 08/19/09
3 points of failure  beoz | 08/19/09
Points  gkp00co | 08/19/09
@ the above  beoz | 08/20/09
Excellent posts you two!  JCitizen | 08/22/09
A point missed  mswift@... | 09/24/09
Look at point #3...  JCitizen | 09/26/09
Yes, you are right (in part)  voldar | 08/19/09
Dead On  blackband707 | 08/19/09
The learning curve  JasonJD48 | 08/19/09
You mean he's suggesting.......  Lester Young | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  tgunn@... | 08/19/09
Doesn't matter..  Narg | 08/19/09
Exactly  wwgorman | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  ropratt | 08/19/09
Read it again.  Lester Young | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  shanedr | 08/19/09
Read the article again.  Lester Young | 08/19/09
None of them  emenau | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  chriso144 | 08/19/09
What "critical" updates?  flboffin | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  bomert@... | 08/19/09
Is the methodology sound?  pwn0tr0n | 08/19/09
More tinfoil, please  Ed BottZDNet Moderator | 08/19/09
That same 'thriving security industry  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
No doubt then  JasonJD48 | 08/20/09
They've had their chops busted before...  jasonp@... | 08/20/09
Zdnet link  Viva la crank dodo | 08/20/09
May have been valid...  JasonJD48 | 08/19/09
Tinfoil stupidity and FUD  honeymonster | 08/20/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  pwn0tr0n | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  bidenj | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  enterprisesoft | 08/19/09
MyOS is the securest!  zedubal | 08/19/09
Lol - that's the Ultimate Bott Metric rebuttal!  CounterEthicsCommissioner-23034636492738337469105860790963 | 08/19/09
Not really  JasonJD48 | 08/19/09
Win or Linux - does it matter?  CoglinIT | 08/19/09
It doesn't, people just love fanclubs  beoz | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  erniem1970@... | 08/19/09
Oh God not the Norton Hog  blackband707 | 08/19/09
I'd think that the answer to Ed's question is...  zkiwi | 08/19/09
Vista had a significant "edge edge" over XP...  bolscher@... | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  jnienhaus1 | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  wanderson | 08/19/09
What I learned in journalism school  Ed BottZDNet Moderator | 08/19/09
Wow, harsh  erikswanson | 08/19/09
Remind me never to have a conversation  JasonJD48 | 08/19/09
You really can't win Ed.  tonymcs@... | 08/19/09
Did they teach you in journalism school...  jasonp@... | 08/20/09
When someone starts their comment...  Ed BottZDNet Moderator | 08/20/09
I believe jasonp...  Viva la crank dodo | 08/20/09
Continuation of Folly  wanderson | 08/22/09
Three years  Ed BottZDNet Moderator | 08/22/09
Now if you can stop ascribing motives...  Jeremy W | 08/26/09
Ok  JasonJD48 | 08/26/09
"it does not automatically mean that they are partial" (sic)  Jeremy W | 08/29/09
Impartiality  JasonJD48 | 09/09/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  garwer22@... | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  deowll | 08/19/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  ssubrama2000 | 08/19/09
Poor 'metric'  CPPDEV | 08/20/09
By your metric...  Ed BottZDNet Moderator | 08/20/09
Poorer Metric  JasonJD48 | 08/20/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  Epir | 08/20/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  s.kaleem@... | 08/20/09
Patches delivered automatically on Tuesdays?  d.s.williams | 08/20/09
Which patch are you referring to?  ye | 08/20/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  914four | 08/20/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  jakenhauser23 | 08/20/09
OK, whatever you say  Ed BottZDNet Moderator | 08/20/09
Your entitled to your opinion but...  JasonJD48 | 08/20/09
An what expetise/qualifications do you offer??  kaninelupus | 08/21/09
My experience  jakenhauser23 | 08/21/09
Vista didn't make it  sk.dunnage@... | 08/20/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  beoz | 08/20/09
I'm going to say 7  JasonJD48 | 08/20/09
It was a mistake to keep XP alive  jscott418 | 08/21/09
Hmmm  JasonJD48 | 08/21/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  jsonok | 08/21/09
Unfair comparison.  Hates Idiots | 08/21/09
Give it time - security fades as an OS ages  Clif Westbrook | 09/03/09
RE: XP, Vista, or Windows 7: Which OS is more secure?  ramien@... | 09/24/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
The best support in the Linux business
If Linux is going to power your mission-critical applications, you'd better have the best support known to business. Novell was rated the top provider of Linux technical support.
Learn more >>
Microsoft Dynamics CRM Online - Free Six-Month Trial for Eligible Organizations
Microsoft Dynamics CRM Online provides fast online access, simple contact management and better sales performance for a low monthly cost - the best value on the market today.
Learn more about the free, six-month trial offer>>
The more you simplify, the more you save
When you transition from your existing Red Hat environment to SUSE Linux Enterprise from Novell, you can recognize dramatic cost savings, perhaps as much 50%
Learn more >>
Reduce risk. Reduce complexity. Increase reliability.
A simplified IT environment isn't just less complex. It's also more reliable. Standardize on a single Linux platform with SUSE Linux Enterprise from Novell, and get the world's most interoperable Linux
Learn more >>
Keep Up With The Latest In Document Management with The DocuMentor.
Doc delivers the scoop on today's enterprise content management, printer maintenance, and all other issues related to document management. It's the DocuMentor Blog.
Learn more >>
Save time with automated shipping solutions
The Business Essentials Guide provides you useful tools and templates to help grow your business and save you time with automated shipping solutions.
Visit the UPS Business Essentials Guide
advertisement

Archives

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here