Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Than Half of Known Vista Bugs are Unpatched

Posted by Zonk on from the bugtracker-is-half-empty-attitude dept.

MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."

17 of 257 comments (clear)

  1. Why would you ever..... by otacon · · Score: 3, Insightful

    announce something like that? That's not exactly the best PR for Vista. Then again Vista isn't exactly good PR for Microsoft.

    --
    In a world of acronyms, the words are the real victims.
    1. Re:Why would you ever..... by ThinkFr33ly · · Score: 5, Insightful

      Well, they didn't.

      If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.

      Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.

      Gotta love it. Slashdot is the GOP of technology news sites.

    2. Re:Why would you ever..... by SwordsmanLuke · · Score: 2, Insightful
      Actually, they didn't announce anything *like* that. This article has more slant than... well the original *very slanted* report. The report this article is referencing is actually trying to make the point that Vista is (according to Microsoft's metrics) teh most secoor OS EVAR!!! The report compares the number of bugs disclosed in the first 6 months of the OS' existence which remained unfixed after 90 days. It seems to me that a more telling metric for security would be the longer term trend of bugs disclosed vs. patched, but hey, I'm not a security researcher.

      If you want to read the actual report, check out the link to the PDF from this page: http://www.vnunet.com/vnunet/news/2192615/microsof t-claims-vista-secure/

      --
      Any plan which depends on a fundamental change in human behavior is doomed from the start.
    3. Re:Why would you ever..... by ThinkFr33ly · · Score: 4, Insightful

      And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue. What a completely nonsensical and inaccurate comparison. Microsoft's Secure Development Lifecycle has almost certainly dramatically improved the quality of their code. This report, plus 3rd party counts of vulnerabilities, support this conclusion.

      But no matter how good your code is, things will be missed. That's the point of having things like Address Space Layout Randomization, IE 7 Protected Mode, Session 0 Isolation, and the dozens of other security layers that Microsoft added to Vista.

      Furthermore, being rated non-critical can often mean that it requires significant user action (like turning off multiple security features) in order to make a user vulnerable.

      What's next, are you going to blame Microsoft when a user smacks their motherboard with a hammer?

      The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

      Otherwise, keep your silly analogies to yourself.
    4. Re:Why would you ever..... by ThinkFr33ly · · Score: 3, Insightful

      You sir should think before you post. You might want to follow your own advice.

      You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

      I could write a piece of software that had a 1000 known critical security vulnerabilities, but it might never get hacked. Does that then mean that my software is secure? Of course not.

      Factors that contribute to whether or not something gets compromised include the number of vulnerabilities in the code, but it's not limited to just that. Usage is a big factor. In the cause of my buggy piece of software, if I'm the only one who uses it, it's unlikely to be a target.

      Similarly, Mac OS X is used by far fewer people than XP. And, as of April, Vista was used by about 50% as many people as use Mac OS X. Change are, Vista is now used by more people than Mac OS X. So a direct comparison is now at least more valid.

      Macs have had far more known vulnerabilities than Vista, and even than XP in recent years. That's an objective fact. A fact that can't be changed by how much Steve Jobs coolaid you drink.
    5. Re:Why would you ever..... by Anonymous Coward · · Score: 2, Insightful

      "Objective fact" for which you only provide an assertion and not a shred of evidence. Put up or shut-up.

    6. Re:Why would you ever..... by Enrique1218 · · Score: 3, Insightful

      OSX has more vulnerabilities than XP or Vista. Where do you get that number? Please publish the links to at least 3 source of said number. I am just curious. This being slashdot and all. I am befuddled how so many haven't mastered citing a reference.

      --
      You don't have to be smart to use a Mac, you just have to be smart enough to buy one
    7. Re:Why would you ever..... by arminw · · Score: 2, Insightful

      ......Similarly, Mac OS X is used by far fewer people than XP.......

      Always that old security by obscurity mantra. Who cares WHY I don't get my Mac house burgled as often as my neighbors Windows house. Maybe my house doesn't have bars on the windows and bank safe doors and locks either. What is nice is that burglars bypass my house and go to the ones down the street. I also don't have to waste money on added security and guard services. The bottom line is that there are NO Mac botnets, whereas there are thousands if not millions of Windows machines in the service of criminals today. Theoretical vulnerabilities mean nothing in the end, but the number of compromised computers is what counts.

      --
      All theory is gray
    8. Re:Why would you ever..... by Anonymous Coward · · Score: 1, Insightful

      "I can use Linux how ever the hell I want and not worry about stupid OS design"

      Really? That's funny. Make a change to a setting in Gnome and tell me where it's stored. ~/.gnome? ~/.gnome2_private? ~/.gconf? /etc? /usr/local/etc? It's a lottery. Couple that with applications that explode files all over your hard drive (/usr, /usr/lib, /opt, /etc and so forth) and you have an absurdly complicated, clumsily constructed OS built from thousands of components from a massively splintered development group.

      It's pretty stupid OS design. Sure, it's better than Windows in some respects, but go look at OS X, VMS or Syllable for proper OS design.

      "bad programming letting infectious software damage my system"

      How utterly laughable. There have been 123 security advisories for kernel 2.6.x. Ubuntu 6.06, the Long-Term Support release, has had 145 advisories. Core libraries and components have suffered major vulnerabilities. Do those numbers not bother you? Linux is pretty weak security wise. Sure, nobody is crafting exploits for the tiny percentage of desktop Linux users right now, but it's still shockingly bad.

      Your post sums up the massive blind zealotry in the open source world that puts many of us off using Linux. It's a vast, hugely complicated OS with many security problems cropping up regularly. Just because it isn't exploited to the same level as Windows doesn't change that fact.

      But congratulations on the supreme ignorant zealotry in your post. Keep your fingers in your ears and singing "blah blah blah" when any problem is mentioned!

  2. Simple Explanation by Aqua_boy17 · · Score: 3, Insightful
    From TFA:

    "it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers."
    I for one am glad Microsoft releases fixes for XP problems in a more timely fashion than Vista. I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?
    --
    What if the Hokey Pokey really is what it's all about?
  3. In Other Words by camperdave · · Score: 5, Insightful

    Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP,"

    So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?

    --
    When our name is on the back of your car, we're behind you all the way!
  4. Vista flaws are not as critical as XP by erroneus · · Score: 2, Insightful

    The simple fact is, there are still more XP loaded systems than Vista. Vista isn't yet a target except in areas where XP and Vista share the same flaw. ...I kinda hope it stays like that for a while too.

  5. Talk about spin by Anonymous Coward · · Score: 2, Insightful

    http://www.engadget.com/2007/06/22/report-vista-mo re-secure-than-os-x-and-linux/
    An article on engadget that is pointing to the EXACT same data...yet the title there most certainly provides a seriously different outlook does it not? I do not blame anyone, however, as if I had seen an ACTUAL nuetral title along the lines of 'microsoft employee posts dubious data of questionable usefulness to anyone except PR departments' I would without doubt have just scrolled on...

  6. Re:Wrong title by Anonymous Coward · · Score: 0, Insightful

    Oh, stuff it.

    As the OpenBSD guys say "the difference between a bug and a vulnerability is the intelligence of the attacker".

  7. Does this count all the secret fixes? by argent · · Score: 3, Insightful

    Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.

    Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.

    Microsoft's gaming the system here. Statements like this should be granted no credibility.

    1. Re:Does this count all the secret fixes? by ThinkFr33ly · · Score: 1, Insightful

      Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. While I've certainly heard of Microsoft not disclosing the vulnerabilities until their patches are released, I've never heard of them patching things completely in secret. Do you have any citations to back that up?

      And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them. It's interesting that you attack Microsoft for secrecy but say nothing about Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.

      Microsoft's gaming the system here. Statements like this should be granted no credibility. Well, based on the evidence, the statement is true. Compare the vulnerabilities yourself. Find flaws in their reasoning. Poke holes in their report.
  8. Not the article I read. by twitter · · Score: 2, Insightful

    The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS:

    He published the data in an effort to show how Microsoft's software development methodology, called the Security Development Lifecycle (SDL) is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.

    "This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. "If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don't actually write the majority of the packages they include," he said via e-mail.

    "Alternatively, force Microsoft to include all vulnerabilities in common third-party software," he added. "For example, the thousands of exploitable ActiveX controls that... vendors include with a Windows system."

    So, the end user experience is likely to be unchanged, if they can even get Vista to work. As is always the case for a new Windoze release, the drivers are not there. Worse, new digital restrictions schemes make for poor performance even if they do get work. "Trip bits" and other nonsense make Vista a poor performer by design.

    --

    Friends don't help friends install M$ junk.