On mySimon: Transformers Cybertron Skywarp
BNET Business Network:
BNET
TechRepublic
ZDNet

January 24th, 2008

Jeff Jones (err Microsoft): Vista more secure than everything

Posted by Larry Dignan @ 8:38 am

Categories: Exploit code, Microsoft, Open source, Patch Watch, Uncategorized, Viruses and Worms, Vulnerability research, Windows Vista

Tags: Microsoft Windows Vista, Jeff Jones, Microsoft Corp., Analysis, Microsoft Windows Vista (Longhorn), Microsoft Windows XP, Security Administration, Security, Operating Systems, Microsoft Windows

Microsoft’s Jeff Jones is at it again with a report claiming that Vista is more secure than its predecessor–XP–and every other modern operating system out there.

I know what you’re going to say–Jones is a blowhard. He says what Microsoft wants to say but doesn’t so the company appears above the fray. Any number can be twisted. He’s not exactly objective. In fact, I’m inclined to agree with you. But here’s the report anyway. Why give Jones a podium since he’s obviously pro-Microsoft? You can still learn from people that have an obvious stake in their analysis. To me it’s no different than an analyst disclosing a position in a stock. As long as it’s disclosed I’ll give it a shot.

In a blog post, Jones, security strategy director in Microsoft’s Trustworthy Computing group, provides the PDF report. It uses a one-year take since from Nov. 2006 to Nov. 2007 since that’s when Vista shipped to business customers (whether these folks actually installed Vista is another argument entirely).

Some key takeaways:

Jones (previous reports) says Vista is more secure than XP and Microsoft has its patching act together. Jones writes: “The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor. Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.”

I’m inclined to agree with that–even though I’m still on XP. Whether Vista is more secure will be determined over time. But Microsoft has improved its security update process since XP’s heyday.

The methodology and the metric dance. It sure would be swell if there were one uber metric to measure security. There isn’t and Jones cops to that. He notes in his report:

If it was possible to measure “security” in one metric, it would have to encompass a complex combination of factors including (but not limited to) the software quality, administrative controls, physical controls, and much more - and even then, it would all be in the context of whatever security policy was defined for the systems in question. So, this is not an analysis of “the security”. I don’t look at protective mechanisms and see how they might protect in certain scenarios. Nor do I look at security features and see how they might enable better privacy or help secure business process. And I certainly don’t look at how easy it is to manage the security policy for these products. Is there anything in this analysis which will prove one piece of software is “more secure” than another? No, that is not my intention.

Nevertheless, Jones gives you metrics measuring security. He uses a vulnerability analysis, tosses in some caveats and moves along with CVE counts. Jones’ report oddly looks a lot like George Ou’s report last month when he tried to compare IE and Firefox. And since most of you gave poor George hell I assume you’ll disapprove of Jones’ counts too.

Jones lets the charts do the talking on Windows vs. XP.

Windows XP vs. Vista.

jones1.png

And the event roundup comparing XP and Vista. Some of the patch events are due to a more regularly monthly update schedule.

jones2.png

After that warmup comes the OS comparisons. Jones compares Red Hat Enterprise Linux, Ubuntu and the Mac OS X 10.4. I’ll provide the chart to keep it simple, but you should read through the actual analysis in the PDF. It’s an interesting take even though you may beg to differ.

jones3.png

And.

jones4.png

Larry DignanLarry Dignan is Editor in Chief of ZDNet and Editorial Director of ZDNet sister site TechRepublic. See his full profile and disclosure of his industry affiliations.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 99 Talkback(s)
I stand properly chastened
Thank you for bringing me to my senses. (Read the rest)
Posted by: Ole Man Posted on: 01/30/08 You are currently: a Guest | | Terms of Use
More preaching to the converted  Chad_z | 01/24/08
Why more microsoft computers get infected  gtg781w | 01/24/08
What metric should be used?  Larry DignanZDNet Moderator | 01/24/08
For a start.  slopoke | 01/24/08
Can you say lawsuit?  LiquidLearner | 01/26/08
Metrics  gtg781w | 01/24/08
there should be no metric used  voska1 | 01/24/08
its no different than a car company crash testing their vehicles  pcguy777 | 01/25/08
Being able to out-code ....  wackoae | 01/25/08
Not at all  pablo Dante | 01/28/08
No effective way to use metrics  ilovebacon | 01/24/08
I would like to see required user interaction...  bjbrock | 01/25/08
Metrics  nilotpal_c | 01/25/08
Well look at the actual # of exploits...  mrOSX | 01/25/08
Show me a virus-infected Linux box run as user  Don Collins | 01/24/08
Not sure if this answers your question but ...  markbn | 01/24/08
Ironically enough....  bportlock | 01/25/08
Comprimized passwords...  bjbrock | 01/25/08
No one really knows...  bportlock | 01/25/08
is still do it sometimes  pcguy777 | 01/25/08
If Linux gets widely used  gtg781w | 01/24/08
I doubt it will happen.  TripleII | 01/24/08
A few comments  rarsa | 01/25/08
yet another reason to use Windows Vista.  qmlscycrajg | 01/28/08
That wouldn't really work either  notsofast | 01/25/08
We needed another laugh.  kozmcrae | 01/24/08
The facts are, it has had less patchs and vunrabilities  No_Ax_to_Grind | 01/24/08
Actually  CMKRNL | 01/24/08
Bad analogy....  techboy_z | 01/24/08
service pack 3 for XP  pcguy777 | 01/25/08
I agree, but...  LiquidLearner | 01/26/08
Apples to Oranges  shis-ka-bob | 01/24/08
No, Windows has more.  TripleII | 01/24/08
This has been argued about before...  olePigeon | 01/24/08
The known patched vulnerbilities mean nothing  voska1 | 01/24/08
Spin all ya like, it doesn't change the facts on record.  No_Ax_to_Grind | 01/24/08
Methinks...  ego.sum.stig@... | 01/24/08
The facts don't mean anything  voska1 | 01/24/08
Vista built on top of XP which was patched...  bjbrock | 01/25/08
On that train of thought...  ego.sum.stig@... | 01/25/08
Fox News  thungurknifur | 01/25/08
Meaning?  CobraA1 | 01/25/08
Do you agree with the correlation?  rarsa | 01/25/08
Sorry, Still Sticking To XP  itanalyst | 01/24/08
Agree  Roderick.Jameson@... | 01/24/08
Then why...  Qbt | 01/24/08
You end up with a lovefest.  TripleII | 01/24/08
So...  Qbt | 01/24/08
You're missing one point  Roderick.Jameson@... | 01/24/08
UAC  gtg781w | 01/24/08
It's been done, over and over.  TripleII | 01/24/08
Useless measuring patches  voska1 | 01/24/08
ReadyBoost  gtg781w | 01/24/08
What is Readyboost  Roderick.Jameson@... | 01/24/08
Link  gtg781w | 01/24/08
Thanks for the link  Roderick.Jameson@... | 01/24/08
So secure it does not let you do anything  Roderick.Jameson@... | 01/24/08
Vista security: Badly baked into the kernel  Roderick.Jameson@... | 01/24/08
Jeff Jones knows nothing about Linux  Don Collins | 01/24/08
What a shame . . .  TechExec2 | 01/24/08
Good job Mr. Dignan  dfolk | 01/24/08
Apples to Oranges....  techboy_z | 01/24/08
I'd bet that z/OS or z/VM is more secure  magcomment | 01/24/08
Haha...NOT!!  techboy_z | 01/24/08
NOT to you too!  slopoke | 01/24/08
Not to be elitist or anything...  ego.sum.stig@... | 01/24/08
it all goes back to the user  Frabba | 01/24/08
I agree  gtg781w | 01/24/08
How does it stack up against z/OS ?  magcomment | 01/24/08
Whoa, buddy....  techboy_z | 01/24/08
since when SOmeone at MS can say a one thing  Quebec-french | 01/24/08
Anyone want to...  Jeremy W | 01/24/08
take that Vista haters!  qmlscycrajg | 01/25/08
RE: Jeff Jones (err Microsoft): Vista more secure than everything  nilotpal_c | 01/25/08
Oops incomplete link  nilotpal_c | 01/25/08
RHEL's numbers mean they are more active...  bjbrock | 01/25/08
Compare the HISTORY, not the present release  davidr69 | 01/25/08
RE: Jeff Jones (err Microsoft): Vista more secure than everything  as901 | 01/25/08
From security point of view, Vista is better.  TripleII | 01/25/08
Linux has been doing that for years...  hasta la Vista, bah-bie | 01/25/08
You are right, Trip  Ole Man | 01/25/08
microsoft gets a bye on this one.  pcguy777 | 01/25/08
RE: Jeff Jones (err Microsoft): Vista more secure than everything  Spiritusindomit@... | 01/25/08
RE: Security in General  oregonnerd13 | 01/25/08
Definetly more secure  bikerpappy@... | 01/25/08
You are confusing security with stability  rarsa | 01/25/08
The last chart  rarsa | 01/25/08
Interesting  CobraA1 | 01/25/08
Mactards have issues with math  JABBER_WOLF | 01/25/08
It's not quite that straight forward.  t3h | 01/26/08
Of course Vista is secure...... for Microsoft  Ole Man | 01/25/08
Shame on you ! You are using the C-word again; CUSTOMER.  hkommedal | 01/27/08
I stand properly chastened  Ole Man | 01/30/08
RE: Jeff Jones (err Microsoft): Vista more secure than everything  randmart@... | 01/25/08
That's not how I've read it prior to this  notsofast | 01/25/08
I'll keep my XP for now. Besides...  JCitizen | 01/25/08
... but look at how many went unfixed!  t3h | 01/26/08
Full Disclosure: I work for Microsoft  Ole Man | 01/27/08
Vista and XP more secure than everything  pablo Dante | 01/28/08

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here