Windows Vista – 6 Month Vulnerability Report

Jeff Jones, a Security Strategy Director in Microsoft’s Trustworthy Computing group, recently posted a 6 Month Vulnerability Report that compares Windows Vista, Windows XP, RHEL WS 4, Ubuntu 6.06 LTS, Novell SLED 10 and Apple OS X 10.4. Jeff has pointed out his potential bias, so I won’t even get into that angle. This report indeed does a better job than some from a methodology standpoint. For instance, he didn’t simply compare a default RHEL install, which includes a full Office suite and a whole host of apps not found in a default Windows install, with a default Windows install. He attempted to rip out the packages from the Linux installs that he perceived as being extra functionality when compared to a Windows install. This gives a much better baseline.

I’d like to simply offer a couple items that I think make reports like these a bit misleading. First, there is no standard definition of what a “Critical” or “High” security level is. It’s usually up to the vendor. It’s therefore possible that some vendors would rate nearly identical vulnerabilities with different severities. Second (and more importantly), we’re of course only looking at reported vulnerabilities here. Due to the Open Source nature of Linux, it’s much more likely that vulnerabilities will be discovered, reported and addressed. I’d contend that there are many more unreported vulnerabilities (which can be and in fact are still exploited) in proprietary software. If done again, another component I’d like to see added is average time to fix from time of first report. I’d be remiss if I didn’t point out that there are points that can easily be made for the flip side of the coin. The obvious one is that with a much larger install base, many more people will be targeting XP and Vista than other operating systems. In the end, statistics can almost always be made to say whatever you’d like.

–jeremy