Slashdot Mirror
More Than Half of Known Vista Bugs are Unpatched
MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."
announce something like that? That's not exactly the best PR for Vista. Then again Vista isn't exactly good PR for Microsoft.
In a world of acronyms, the words are the real victims.
First, the author of the submission doesn't know the difference between a bug and a vulnerability. Second, the title ought to read: "Vista Vulnerabilies are Less Serious than in XP" (and there are fewer vulnerabilities in Vista than in XP in total).
That's the reason why only half of them were fixed while in XP most of them.
I've got two older brothers, I don't think that makes me stupid. ;)
http://twitter.com/onion2k
What if the Hokey Pokey really is what it's all about?
Big deal. The VA has been trying fix VistA since 1985.
The previous comment is purposely vague and generalized, but all of the facts are completely true.
Why would anyone bother putting out security patches for an OS that nobody uses yet? Security through obscurity and all of that nonsense.
What I'd really like to know is why critical vulnerabilities in IE7 are thoroughly ignored, even though it's available to install on XP (and yes, hard as it is to believe, people are actually using it _instead_ of Firefox/Safari/Your Favorite Flavor here...)
Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP,"
So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?
When our name is on the back of your car, we're behind you all the way!
So naturally his IQ is 3 points lower than his older brother XP.
Apparently the developers of Vista are following that trend too!
I know our hobby is slagging of microsoft, but hey, copying Linux seems to be working out for them.
Oh, damn. My carefully crafted, pro microsoft reply, slipped into the usual M$ bashing. They are such an easy target. I can't help my self. Just like women drivers. I don't mean to joke at their expense, but sometimes the jokes, they slip out. I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'
An oldie but a goldie. Feel free to use that one.
monk.e.boy
Open source, flash charts
The simple fact is, there are still more XP loaded systems than Vista. Vista isn't yet a target except in areas where XP and Vista share the same flaw. ...I kinda hope it stays like that for a while too.
http://www.engadget.com/2007/06/22/report-vista-mo re-secure-than-os-x-and-linux/
An article on engadget that is pointing to the EXACT same data...yet the title there most certainly provides a seriously different outlook does it not? I do not blame anyone, however, as if I had seen an ACTUAL nuetral title along the lines of 'microsoft employee posts dubious data of questionable usefulness to anyone except PR departments' I would without doubt have just scrolled on...
They have made the underlying security model so damned complex that it takes 6 months to figure out how to patch a bug/whole.
Those 27 disclosed vulnerabilities cover some or all of the 237 patents that Microsoft has. Dont you dare fix any of them with a third party tool. You will be violating the patent rights of MSFT!
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I wonder exactly what the data would be like if you compared vulnerabilities in 3rd-party software AND Microsoft issues vs. security problems in Linux distributions?
XML is like violence. If it doesn't solve the problem, use more.
What I would like to know is what the guy actually said. The article starts by saying that half the BUGS were fixed and then starts talking about half of the vulnerabilities and then uses the two words interchangeably.
Did the guy say half the bugs or half the vulnerabilities? Half the vulnerabilities seems bad to me. Half the known bugs is not bad at all- in fact I would consider that somewhere around par for software development.
Either way I agree it sounds bad.
oh my!!!
CTRL + F Funny ---> I had you!!!
About their patch time being 29 days to OSX's 46 and hundreds for linux?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.
Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.
Microsoft's gaming the system here. Statements like this should be granted no credibility.
First sentence is correct. Author didn't distinguish bug/vulernability.
The second sentence, while double-plus-good Microsoft PR speak, is critically flawed reasoning.
If the parent said "Known Vista vulnerabilities..." I would agree, but that still glides over many fundamental liabilities that Microsoft products push onto the customer like:
1. The concept of security in Microsoft products means protect Microsoft's intellectual property.
2. No one can reasonably predict the scope or scale of Microsoft vulnerabilities.
3. Given Microsoft's history of producing "secure" operating systems, it is reasonable to assume there is no evidence end-user security features makes it through to the end product. Note carefully, Microsoft has *very* talented programmers who can code securely after all their monopoly status affords them this luxury. I'm saying that their work doesn't make it all the way through the management gauntlet. UAC is a perfect example. It is not a security boundary. http://blogs.zdnet.com/security/?p=175
The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing. As every other Microsoft OS has shown, there will be critical vulnerability surprises. It's a matter of when, not if.
Got Trader Joe's? friendwich.com RSS feeds work now!
Glad you set me straight on that one. I guess this means I woun't have to tell my office mate I 0wn3d his system late yesterday then. Didn't happen because that would be virtually impossible now wouldn't it? Must have just been my active imagination watching his reaction to his new Folding@home screensaver a minute ago. EAL4? Yea, right.
One failed product does not damage a monopoly.
Got Trader Joe's? friendwich.com RSS feeds work now!
No, this is not Slashdot spin. It's a direct report of the original source, Security World:
So that's the journalist's opinion.
You can also note the direct carry over of M$'s laughable position that Vista is doing better than XP. Windoze has never been and never will be a safe and secure place for your data and this shows, even if you accept the M$ numbers. They've wasted all their effort making life suck for the end user with digital restrictions and competitor sabotage instead of addressing fundamental security issues. Vista is more of the same from a company that does not care and lies through it's teeth about it every time. There can't be more than fifty people in the world ready to believe Vista is going to be any better than any other version of Windoze.
Friends don't help friends install M$ junk.
Hindsight is getting blurry, but I seem to remember the world seeing XP as simply an 'upgrade' to 2000. People expected it to have vulnerabilities, be buggy, etc, but wanted the newness of it.
Vista was _supposed_ to be a total rewrite. A completely new animal, basically immune to XP's flaws.
Patching a ton of vulnerabilities right out of the gate would invalidate a TON of marketing effort.
Seems like not patching them (in public) is a good business decision for them. Not so very ethical, but it _IS_ MicroShaft we're talking about here.
Their GDI privilege escalation (non-bug, non-vulnerability, buried topic, never mentioned anywhere at MS) started with NT 4.0 and was not "patched" until the GDI was rewritten for Vista. It was never "patched" because the design was fundamentally broken and could not be patched in any practical way. All you needed to exploit it was to get some application running at the SYSTEM privilege level to create and display a window and then the system was toast. Vista finally made the GDI just as secure as NT 3.5. Things are improving, No?
There is no mention of 27 disclosed vulnerabilities in the report or on secunia. ;)
Did someone make up the numbers so that it can be posted on Slashdot?
The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS:
Friends don't help friends install M$ junk.
I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?
Even if you buy the demonstrably false "popularity argument" for poor M$ performance, the real story here is that nothing has changed for the user.
Friends don't help friends install M$ junk.
the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.
The fact that only M$ machines get screwed and die along with your work is a good reason to avoid the platform.
Friends don't help friends install M$ junk.
My guess is that it may be harder to fix things in Vista without breaking something else (like DRM functions) ...
It must have been something you assimilated. . . .
Jeff Jones was further quoting saying that there was no need to patch vunerabilities in Vista, because "nobody uses it anyway."
I find it fascinating that Engadget's headline on this very same story is:
Report: Vista more secure than OS X and Linux
Way to spin, slashdot!!
-- "I never gave these stories much credence." - HAL 9000
Sorry, I can't do that in this forum, and certainly not for an 'Anonymous Coward' with an attitude. My employer has a very strict policy about going through the proper channels when it comes to these things and I kind of like my current job just the way it is. If you what to know the answer then go buy your own copy of IDA Pro and figure it out for yourself. It's really not that hard once you know what you are doing.
I was under the impression that Vista sales are really low. And I can hazard a guess that those with Vista are so busy trying to get their old hardware and software to work, that they are unsure whether a bug is a real bug or a run of the mill compatibility problem.
So, I wouldn't be surprised that the number of bugs reported is lower than usual. Wait till the use of Vista grows- then the anti-MS hackers will start really pounding Vista.
You should note that the chart, for Linux/OS X, covers not only OS-level vulnerabilities, but app-vulnerabilities, too. All in all, I find it an apples-to-oranges comparison, even more keeping in mind that the chart covers known and fixed bugs during the first 6 months of each OS after their respective release dates.
;)
Paraphrasing a comment in Endgaget... Can someone grab me a copy of Windows XP: Jeff Jones edition? It looks much better than the public builds
The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS. M$ again counts things incorrectly and fails to include all the problem children their sorry architecture encourages along with the gaping flaws they produce themselves:
So, the end user experience is likely to be unchanged, if they can even get Vista to work. As is always the case for a new Windoze release, the drivers are not there. Worse, new digital restrictions schemes make for poor performance even if they do get work. "Trip bits" and other nonsense make Vista a poor performer by design.
Friends don't help friends install M$ junk.
If they continue to produce 'new' operating systems every 5 years with only a 25% better bug/vulnerability rate, just how long will it be before Bill Gates' statement of Windows Vista being "the most secure OS available" will actually become a publicly accepted true? I had to state it as "publicly accepted truth" since Microsofts version of the law, contracts, and truth are very different from what the general population understands and accepts as such.
Too bad the severities weren't listed but then again, we already know Microsoft seems to think the fact that an exploit can be spread via network is more important than data corruption/loss. You know, saving face is more important than the customer.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Mod parent up!!! Good point about Microsoft management. In my opinion, Microsoft programmers are not allowed to finish their work.
My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief.
The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
Silly me, when I said "app-vulnerabilities" I meant "BUNDLED app-vulnerabilities"...
I'm a Linux-only user. According to Secunia, for unpatched vulnerabilities: Windows Vista: 2 of 10; most severe being Not Critical. Windows XP Home Edition: 27 of 170; most severe being Highly Critical. Linux Kernel 2.6.x: 16 of 123; most severe being Moderately Critical.
Wow. There's a statistic in that article that really leaves an impression, and no, it's not 36/39 vs 12/27; it's 23 vs 1 - the number of severe security holes in XP and Vista found in the first six months. That brings up a few questions, like whether these metrics are the same (one person brought up the question of secret, unannounced fixes, another the issue of the number of people looking for problems). But if these numbers are comparable (heck, even if the Vista number is 3 or 4 times lower than is realistic), that's a huge improvement in Windows security, and an effort on MS' part worth applauding.
You have tried to support your argument with faulty reasoning! Go directly to jail; do not pass Go, do not collect $200!
http://secunia.com/product/13223/?task=statistics Their numbers don't match the original articles numbers though. I'm sure there are others out there that report exploits, but this is the one I had bookmarked and could quickly share.
You sir should think before you post.
You might want to follow your own advice.
That goes for you too!
You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.
I don't think this qualifies as an "invalid equation." Maybe if he was trying to say that a Mac is a PC, or that OSX is Vista, that would be an invalid equation.
What you are thinking of sounds much more like the fallacy of "affirming the consequent." Specifically:
If my OS is secure, then it will never be hacked.
My OS has never been hacked.
Therefore, my OS is secure.
Though the first premise may or may not be weak on its own grounds, the argument is formally invalid. In your post you even go on to demonstrate cases in which an insecure OS may never be hacked. This is the traditional means of demonstrating the formaly invalidity of the fallacy of "affirming the consequent."
Sounds like you had the right idea, but you mis-identified the fallacy in question. If you are going to serve as a logician, doing it properly will avoid some embarrassment.
Whereas Linux stops the user from running trojans or doing anything else bad? I don't think so.
Vista has made major improvements in security with things like ASLR and it is harder to exploit what would have been wide-open vulnerabilities under XP. I'm not saying I like it, because I spend 95% of my time in Ubuntu on this dual-boot laptop, but it is on a par with a standard Linux security-wise these days. And that means they're not bad out of the box, but a bad admin can f*ck either up.
Personally, I'm paranoid and I have a better idea of what Linux is doing - therefore I choose Linux, but Vista is a major improvement over XP. Security-wise that is; the usability sucks donkey dick, but hey, it's a point oh release.
"It doesn't cost enough, and it makes too much sense."
...less than 5% of Vista's bugs are known.
TODO - Insert Creative/Witty Signature
I also run on Linux and, I have to say, it still has problems resuming from the fucking screensaver if I close the lid. PATHETIC. Sometimes I can fix it by logging in remotely and killing the screensaver process[es]. Sometimes I have to log in remotely and kill X. If networking is not configured, I often have to power-cycle. Consequently I don't close the lid much.
It's a shame, but ACPI was intentionally sabotaged by M$. It's hit and miss, but the same machine won't do much better under M$ because their other software can't deal with power management and uptimes blow anyway. APM works well and is more like power management should be, so use it if your laptop has it by the kernel options "noacpi acpi=off".
Of course, this has nothing to do with any kind of security. You are not going to become part of the botnet and your data will survive power cycling, especially if you use a journalling file system like ext3.
Friends don't help friends install M$ junk.
You linking to that post is hilarious. You figure no one will notice this reply and the subsequent ones in that thread?
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Neither /. nor the original article seem to understand that not all bugs are security vulnerabilities. Is it the case that more than half the known BUGS in Vista are unpatched, or less than half the known SECURITY BUGS are unpatched?
Potentially huge difference.
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
You linking to that post is hilarious. You figure no one will notice this reply
I'm not afraid of that BS. People can read as much or as little of that troll infested thread as they like. Most people won't bother to read past the memo written by Bill Gates himself, as the intent is obvious. No one will tell you that ACPI is rationally designed and anyone who's read the memo knows why. Ultimately, the crap flood that follows me is just another sign of how desperately afraid of the truth and popular opinion M$ is. It's too bad they don't just fix their broken junk instead of pretending it's fixed while screwing over their competition in ways that waste everyone's time.
Friends don't help friends install M$ junk.
Of course therein lies your problem. If "most people" are like that then they're really no better than you. If they're not, then you're screwed because your FUD is exposed. Sucks either way.
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
full time M$ defender and attack bot dedazo insists on arguing that Bill Gates has nothing to do with ACPI being a piece of shit that does not work well for anyone:
Of course therein lies your problem. If "most people" are like that then they're really no better than you. If they're not, then you're screwed because your FUD is exposed. Sucks either way.
If they read further in they run into posts by others complaining of the complexity of ACPI and how it's just another M$ "extensible" non standard. Between that and Bill Gate's little memo, the reasons for ACPI to suck are obvious. As he stated himself, he did not want Linux to work.
Friends don't help friends install M$ junk.
Screw security, what about a Vista that works in non-laboratory conditions, that is to say, in laboratory (and office, home, etc.) conditions? We do we still have users who are forced to reboot before logging in, to avoid the braindead "user profile error" that repairs itself every single time by rebooting!? I would really like to see Microsoft Q.A. people forced to take Real World Certification administered by a consortium of academics, government entities and businesses before they are allowed to sign off on any Microsoft release whatsoever.
``Tension, apprehension & dissension have begun!'' - Duffy Wyg&, in Alfred Bester's _The Demolished Man_
What fun. And just the other day someone complained that Apple's _BETA_ Safari 3.0 for Windows contained a couple of bugs, which Apple IMMEDIATELY patched. At least Apple acknowledges and fixes their errors in their beta software. Microsoft just releases the beta software as final product and then pretends everything is hunky-dory. Maybe they'll release a patch at the end of the year.
The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer High severity vulnerabilities at the 6 month mark compared to its predecessor product Windows XP and compared to other modern competitive workstation OSes linux and Mac OS X
With a clueless clickmonkey on the helm, any system is insecure. System security is by its very definition the minimum of system security and user security knowledge. The problem is that we want users to make decisions they simply cannot make, since most of them lack the information necessary to make such a decision.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.