More Than Half of Known Vista Bugs are Unpatched

MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."

Vista is secure. The user isn't.

[Opportunist]

Repeat after me. Vista is secure. Vista is secure...

Vista is secure as long as the user doesn't "allow" anything bad to happen. The idea alone is a security risk in the making. Of course no security hole is "critical" as long as there's the omnipresent popup before it happens to affect your PC. Because then it's the user's fault. YOU clicked "allow", YOU are to blame.

It's pretty easy to say that. It would be akin to asking every time an executable starts to run whether the user really wants it to run, and blame the user when it does something unexpected or unwanted. But based on the "allow or deny" dialog, the user cannot make a qualified decision. Not even if he DID actually know what he's doing. He only gets information about what program (ok, without checking google, what's hidsrv? The program name usually doesn't tell people jack about the program. How many viruses exist that call themselves akin to a system executable?) tries to do something (with a cryptic information about its requested privileges, that basically only tell you what could be going down if you did know a thing or two about Windows and its inner workings).

Basing the security model on the user is very convenient for the system maker, but it is not the right approach. Especially not in an environment where the strict distinction between user space and system space did not exist for a long, long time.

But that's not the point this time. This time, we have "uncritical" system flaws. Which are only uncritical because they can be blamed easily on the user if they're exploited.