More Than Half of Known Vista Bugs are Unpatched

MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."

Flawed Logic

[asphaltjesus]

First sentence is correct. Author didn't distinguish bug/vulernability.

The second sentence, while double-plus-good Microsoft PR speak, is critically flawed reasoning.

If the parent said "Known Vista vulnerabilities..." I would agree, but that still glides over many fundamental liabilities that Microsoft products push onto the customer like:
1. The concept of security in Microsoft products means protect Microsoft's intellectual property.
2. No one can reasonably predict the scope or scale of Microsoft vulnerabilities.
3. Given Microsoft's history of producing "secure" operating systems, it is reasonable to assume there is no evidence end-user security features makes it through to the end product. Note carefully, Microsoft has *very* talented programmers who can code securely after all their monopoly status affords them this luxury. I'm saying that their work doesn't make it all the way through the management gauntlet. UAC is a perfect example. It is not a security boundary. http://blogs.zdnet.com/security/?p=175

The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing. As every other Microsoft OS has shown, there will be critical vulnerability surprises. It's a matter of when, not if.

Re:Why would you ever.....

[bmw]

The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

That's quite a statement. I don't have evidence supporting anything either way but I still have a hard time swallowing that one given my past experiences. More secure than previous Windows systems, perhaps. Most secure OS on the market? That's probably a bit of a stretch. Personally, I would still be far more comfortable with the security of any of the BSDs, Linux, Mac OS X, Solaris, or any other flavor of UNIX. Not to mention more obscure operating systems.

Furthermore, it's extremely difficult to prove such things. Simply looking at the number of vulnerabilities is nowhere near adequate and, given your statement, I think the burden of proof would be on you.

Bottom line: M$ experience sucks.

[twitter]

the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

The fact that only M$ machines get screwed and die along with your work is a good reason to avoid the platform.

Two steps forward, one step back.

[fahrbot-bot]

My guess is that it may be harder to fix things in Vista without breaking something else (like DRM functions) ...

Re:Why would you ever.....

[TheRaven64]

Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) I believe the most secure OS on the market at the moment is probably OpenVMS. Certain others, like Symbian, seem to do well too. I don't know of many Symbian compromises, in spite of the hundreds of millions of Symbian devices that spend 100% of their time connected to the network. I believe even WinCE has a better security record than Vista to date, so it's not even the most secure Microsoft operating system out there... OpenBSD has had a couple of security holes recently, but probably less than Vista.

It's very difficult to compare the security of OpenBSD to Vista, because of what is included. OpenBSD, for example, doesn't include a web browser in the base system. It includes X11, but not a complete desktop environment. For it to be a fair comparison, you would have to compare OpenBSD + GNOME (for example). On the other hand, OpenBSD includes a number of things that aren't in Vista, such as a compiler, so you might have to throw in Visual Studio. But that's an IDE, so maybe throw Eclipse into the OpenBSD pile...

Re:Does this count all the secret fixes?

[argent]

While I've certainly heard of Microsoft not disclosing the vulnerabilities until their patches are released, I've never heard of them patching things completely in secret. Do you have any citations to back that up?

Skeletins in Microsoft's Patch-day Closet

It's interesting that you attack Microsoft for secrecy but say nothing about Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.

You seem to be under a misapprehension here. I'm not defending Apple. I'm simply pointing out that Microsoft has more ability to hide security flaws in their software than any company that uses a significant amount of open-source software, and thus they can artificially reduce their "score" in this game to a far greater extent than either of the other organizations mentioned by Jones. That is, regardless of Apple's motivations and actions, they are simply not capable of hiding patches as effectively as Microsoft.

So:

1. Microsoft has more ability to "game the system" than Red Hat, Apple, or any other organization using a significant amount of open-source software in their product.

2. Microsoft has acknowledged that they are engaged in gaming the system.

I would be happy to discuss Apple's past behavior in an appropriate context. In fact if you google around you'll find that I've been quite critical of Apple when I've felt it warranted. There's plenty of other skeletons in Microsoft's closet if you want to get into a fan war, but you'll have to find someone else for THAT debate... again, google around, you'll find I defend Microsoft when I believe it's warranted. Basically, I'm poorly equipped for the kind of debate that requires uncritical acceptance or dismissal of of one company's position on every subject.

Here and now, Microsoft's figures can not be accepted on face value. Unless Microsoft reveals ALL the details of the vulnerabilities they've corrected they can't be considered comparable to even Apple's figures with their heavy loading of open source software, let alone Red Hat's.

Re:Why would you ever.....

[toddestan]

Not true. Even if 50% of all computer were Macs, the number of Mac hacks would not rise dramatically. Hackers are lazy, otherwise they'd get real jobs. If you were a hacker, which half of all computers would you rather attack? The easy half you know and have hacking tools for, or the other half for which you have nothing and are inherently harder to crack? There is no reason to assume that a hacked Mac would be more valuable to a criminal wanting to steal your private data than a hacked Windows system.

I dunno, I might go after the Macs. Lets look at the facts:

1. Most Mac users seem to care very little about security beyond not running Windows. They don't run anti-spyware tools, very few of them run anti-virus, and they also generally don't run a firewall. If your malware doesn't make it's presence obvious (say, by crashing a lot or spawning pop ups) you could go unnoticed on the typical Mac for quite some time. Compare to the Windows users who can be downright paranoid about security.

2. The typical Mac user has more money than the typical PC user, given the cost of the computer. Their personal data is likely more valuable.