Slashdot Mirror

← Back to Stories (view on slashdot.org)

More Than Half of Known Vista Bugs are Unpatched

Posted by Zonk on from the bugtracker-is-half-empty-attitude dept.

MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."

36 of 257 comments (clear)

  1. Why would you ever..... by otacon · · Score: 3, Insightful

    announce something like that? That's not exactly the best PR for Vista. Then again Vista isn't exactly good PR for Microsoft.

    --
    In a world of acronyms, the words are the real victims.
    1. Re:Why would you ever..... by ThinkFr33ly · · Score: 5, Insightful

      Well, they didn't.

      If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.

      Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.

      Gotta love it. Slashdot is the GOP of technology news sites.

    2. Re:Why would you ever..... by SwordsmanLuke · · Score: 2, Insightful
      Actually, they didn't announce anything *like* that. This article has more slant than... well the original *very slanted* report. The report this article is referencing is actually trying to make the point that Vista is (according to Microsoft's metrics) teh most secoor OS EVAR!!! The report compares the number of bugs disclosed in the first 6 months of the OS' existence which remained unfixed after 90 days. It seems to me that a more telling metric for security would be the longer term trend of bugs disclosed vs. patched, but hey, I'm not a security researcher.

      If you want to read the actual report, check out the link to the PDF from this page: http://www.vnunet.com/vnunet/news/2192615/microsof t-claims-vista-secure/

      --
      Any plan which depends on a fundamental change in human behavior is doomed from the start.
    3. Re:Why would you ever..... by morgan_greywolf · · Score: 5, Funny

      If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.


      And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.
      --
      My blog
    4. Re:Why would you ever..... by ThinkFr33ly · · Score: 4, Insightful

      And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue. What a completely nonsensical and inaccurate comparison. Microsoft's Secure Development Lifecycle has almost certainly dramatically improved the quality of their code. This report, plus 3rd party counts of vulnerabilities, support this conclusion.

      But no matter how good your code is, things will be missed. That's the point of having things like Address Space Layout Randomization, IE 7 Protected Mode, Session 0 Isolation, and the dozens of other security layers that Microsoft added to Vista.

      Furthermore, being rated non-critical can often mean that it requires significant user action (like turning off multiple security features) in order to make a user vulnerable.

      What's next, are you going to blame Microsoft when a user smacks their motherboard with a hammer?

      The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

      Otherwise, keep your silly analogies to yourself.
    5. Re:Why would you ever..... by ThinkFr33ly · · Score: 3, Insightful

      You sir should think before you post. You might want to follow your own advice.

      You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

      I could write a piece of software that had a 1000 known critical security vulnerabilities, but it might never get hacked. Does that then mean that my software is secure? Of course not.

      Factors that contribute to whether or not something gets compromised include the number of vulnerabilities in the code, but it's not limited to just that. Usage is a big factor. In the cause of my buggy piece of software, if I'm the only one who uses it, it's unlikely to be a target.

      Similarly, Mac OS X is used by far fewer people than XP. And, as of April, Vista was used by about 50% as many people as use Mac OS X. Change are, Vista is now used by more people than Mac OS X. So a direct comparison is now at least more valid.

      Macs have had far more known vulnerabilities than Vista, and even than XP in recent years. That's an objective fact. A fact that can't be changed by how much Steve Jobs coolaid you drink.
    6. Re:Why would you ever..... by bmw · · Score: 4, Interesting

      The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

      That's quite a statement. I don't have evidence supporting anything either way but I still have a hard time swallowing that one given my past experiences. More secure than previous Windows systems, perhaps. Most secure OS on the market? That's probably a bit of a stretch. Personally, I would still be far more comfortable with the security of any of the BSDs, Linux, Mac OS X, Solaris, or any other flavor of UNIX. Not to mention more obscure operating systems.

      Furthermore, it's extremely difficult to prove such things. Simply looking at the number of vulnerabilities is nowhere near adequate and, given your statement, I think the burden of proof would be on you.

    7. Re:Why would you ever..... by Anonymous Coward · · Score: 2, Insightful

      "Objective fact" for which you only provide an assertion and not a shred of evidence. Put up or shut-up.

    8. Re:Why would you ever..... by Enrique1218 · · Score: 3, Insightful

      OSX has more vulnerabilities than XP or Vista. Where do you get that number? Please publish the links to at least 3 source of said number. I am just curious. This being slashdot and all. I am befuddled how so many haven't mastered citing a reference.

      --
      You don't have to be smart to use a Mac, you just have to be smart enough to buy one
    9. Re:Why would you ever..... by nusuth · · Score: 2, Informative
      Then again Vista isn't exactly good PR for Microsoft.

      I recently bought a notebook with Vista Home Premium preloaded. Due to all negative things I've heard about Vista, I was prepared to downgrade. I was determined not to waste my time fixing a broken OS just because I could. However I was pleasantly surprised. It is, of course, nothing like what was promised a few years ago but it is an improvement over XP. The only problem I've had (about networking with XP) took five minutes to solve. It has also been rock solid so far (with a directx 10 card, despite all horror stories.) I still don't see any reason to upgrade my XP boxes but I also don't see any reason to avoid Vista.

      --

      Gentlemen, you can't fight in here, this is the War Room!

    10. Re:Why would you ever..... by TheRaven64 · · Score: 4, Interesting

      Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) I believe the most secure OS on the market at the moment is probably OpenVMS. Certain others, like Symbian, seem to do well too. I don't know of many Symbian compromises, in spite of the hundreds of millions of Symbian devices that spend 100% of their time connected to the network. I believe even WinCE has a better security record than Vista to date, so it's not even the most secure Microsoft operating system out there... OpenBSD has had a couple of security holes recently, but probably less than Vista.

      It's very difficult to compare the security of OpenBSD to Vista, because of what is included. OpenBSD, for example, doesn't include a web browser in the base system. It includes X11, but not a complete desktop environment. For it to be a fair comparison, you would have to compare OpenBSD + GNOME (for example). On the other hand, OpenBSD includes a number of things that aren't in Vista, such as a compiler, so you might have to throw in Visual Studio. But that's an IDE, so maybe throw Eclipse into the OpenBSD pile...

      --
      I am TheRaven on Soylent News
    11. Re:Why would you ever..... by JonXP · · Score: 2, Informative

      Well, I don't know if you'll accept one well-trusted source instead of three random blogs, but here you go:

      According to Secunia (for 2007):
      Vista - 7 advisories, 2 unpatched (unpatched vulns listed as not critical)
      OSX - 16 advisories, 3 unpatched (unpatched vulns listed as less critical)

      There's too few to have a meaningful comparison of vuln severity levels, but OSX would win on percentages.

      For what the original poster actually said "...even more than XP in recent years..."

      Here is 2006:
      XP - 45 Advisories (36% rated "Highly Cticial" or above)
      OSX - 24 Advisories (42% rated "Highly Critical" or above)

      Doesn't really hold water unless you compare the severity levels. Even then, that's sort of a shaky argument, but hey, that's what the internet was made for.

      --
      Still IMing in the stone age?
    12. Re:Why would you ever..... by arminw · · Score: 2, Insightful

      ......Similarly, Mac OS X is used by far fewer people than XP.......

      Always that old security by obscurity mantra. Who cares WHY I don't get my Mac house burgled as often as my neighbors Windows house. Maybe my house doesn't have bars on the windows and bank safe doors and locks either. What is nice is that burglars bypass my house and go to the ones down the street. I also don't have to waste money on added security and guard services. The bottom line is that there are NO Mac botnets, whereas there are thousands if not millions of Windows machines in the service of criminals today. Theoretical vulnerabilities mean nothing in the end, but the number of compromised computers is what counts.

      --
      All theory is gray
    13. Re:Why would you ever..... by danbert8 · · Score: 3, Funny

      I would argue that MS-DOS is more secure than Vista because you have to be physically present to run programs and you can't run malware in the background.

      --
      Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
    14. Re:Why would you ever..... by CodeBuster · · Score: 4, Funny

      Vista: The program ~_AllofTheBestOffers.exe is attempting to escalate its privilege level, Cancel or Allow?

      User: Allow, Allow, Allow (dangit where is the free pron already?)

      Vista: The program ~tracker.exe is attempting to change the firewall settings, Cancel or Allow?

      User: Change the what? Allow...come on

      Vista: The run32.dll has been altered since the last system scan do you wish to proceed? Cancel or Allow?

      User: sigh....Allow

      Vista: Windows has been updated and must be restarted, Cancel or Allow?

      User: hmmmm....don't remember getting updates but updates are good...Allow

      Several weeks later....

      User: What is going on with all of these popups and free pron offers? Isn't Vista supposed to be more secure?

      Support: Did you try rebooting?

      User: yes, yes, yes I have already done that.

      Support: Well, we can send you a new motherboard w/installation instructions....

      User: Thanks, but my bank is on the other line...I am having some trouble with my accounts. Can I call you back?

      Support: We are here to serve all of your customer service needs.

      User: Uh, yeah whatever, bye.

      The moral of this story is that no matter how many times the user is forced to click Allow, I agree, Yes, or Continue in order to shoot themselves the foot they will find a way to do it guaranteed. It may be true that Vista is better than XP is or was out of the box, but they have to assume that even though the user would have to click Allow ten times for some malware to get through that it will happen and not just to a couple of people either. They should at least tell people that they are working on the fixes instead of saying, "well if you are smart you wont get hacked, just don't always click allow."

    15. Re:Why would you ever..... by toddestan · · Score: 2, Interesting

      Not true. Even if 50% of all computer were Macs, the number of Mac hacks would not rise dramatically. Hackers are lazy, otherwise they'd get real jobs. If you were a hacker, which half of all computers would you rather attack? The easy half you know and have hacking tools for, or the other half for which you have nothing and are inherently harder to crack? There is no reason to assume that a hacked Mac would be more valuable to a criminal wanting to steal your private data than a hacked Windows system.

      I dunno, I might go after the Macs. Lets look at the facts:

      1. Most Mac users seem to care very little about security beyond not running Windows. They don't run anti-spyware tools, very few of them run anti-virus, and they also generally don't run a firewall. If your malware doesn't make it's presence obvious (say, by crashing a lot or spawning pop ups) you could go unnoticed on the typical Mac for quite some time. Compare to the Windows users who can be downright paranoid about security.

      2. The typical Mac user has more money than the typical PC user, given the cost of the computer. Their personal data is likely more valuable.

  2. Wrong title by trifish · · Score: 5, Informative

    First, the author of the submission doesn't know the difference between a bug and a vulnerability. Second, the title ought to read: "Vista Vulnerabilies are Less Serious than in XP" (and there are fewer vulnerabilities in Vista than in XP in total).

    That's the reason why only half of them were fixed while in XP most of them.

  3. Rubbish. by onion2k · · Score: 4, Funny

    I've got two older brothers, I don't think that makes me stupid. ;)

    --
    http://twitter.com/onion2k
    1. Re:Rubbish. by chalkyj · · Score: 4, Funny

      As demonstrated by your uncanny ability to reply to the correct article, right?

    2. Re:Rubbish. by Aqua_boy17 · · Score: 5, Funny

      I've got two older brothers, I don't think that makes me stupid. ;)
      It doesn't. Only doing something like posting in the wrong thread would do that.

      /chain yanking
      --
      What if the Hokey Pokey really is what it's all about?
  4. Simple Explanation by Aqua_boy17 · · Score: 3, Insightful
    From TFA:

    "it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers."
    I for one am glad Microsoft releases fixes for XP problems in a more timely fashion than Vista. I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?
    --
    What if the Hokey Pokey really is what it's all about?
  5. Big deal... by Kainaw · · Score: 2, Funny

    Big deal. The VA has been trying fix VistA since 1985.

    --
    The previous comment is purposely vague and generalized, but all of the facts are completely true.
  6. In Other Words by camperdave · · Score: 5, Insightful

    Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP,"

    So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?

    --
    When our name is on the back of your car, we're behind you all the way!
  7. Vista is the youngest in the series by Anonymous Coward · · Score: 5, Funny

    So naturally his IQ is 3 points lower than his older brother XP.

    Apparently the developers of Vista are following that trend too!

  8. I know we slag them off... by monk.e.boy · · Score: 5, Funny

    I know our hobby is slagging of microsoft, but hey, copying Linux seems to be working out for them.

    Oh, damn. My carefully crafted, pro microsoft reply, slipped into the usual M$ bashing. They are such an easy target. I can't help my self. Just like women drivers. I don't mean to joke at their expense, but sometimes the jokes, they slip out. I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'

    An oldie but a goldie. Feel free to use that one.

    monk.e.boy

    --
    Open source, flash charts
  9. Vista flaws are not as critical as XP by erroneus · · Score: 2, Insightful

    The simple fact is, there are still more XP loaded systems than Vista. Vista isn't yet a target except in areas where XP and Vista share the same flaw. ...I kinda hope it stays like that for a while too.

  10. Talk about spin by Anonymous Coward · · Score: 2, Insightful

    http://www.engadget.com/2007/06/22/report-vista-mo re-secure-than-os-x-and-linux/
    An article on engadget that is pointing to the EXACT same data...yet the title there most certainly provides a seriously different outlook does it not? I do not blame anyone, however, as if I had seen an ACTUAL nuetral title along the lines of 'microsoft employee posts dubious data of questionable usefulness to anyone except PR departments' I would without doubt have just scrolled on...

  11. Re:Actual quote? by ThinkFr33ly · · Score: 5, Informative

    Then read the actual report: http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Re port.pdf

    It sounds bad because the person who posted it to Slashdot, and Slashdot's editors, want it to sounds bad. Are you new here or something?

  12. Does this count all the secret fixes? by argent · · Score: 3, Insightful

    Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.

    Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.

    Microsoft's gaming the system here. Statements like this should be granted no credibility.

    1. Re:Does this count all the secret fixes? by argent · · Score: 4, Interesting

      While I've certainly heard of Microsoft not disclosing the vulnerabilities until their patches are released, I've never heard of them patching things completely in secret. Do you have any citations to back that up?

      Skeletins in Microsoft's Patch-day Closet

      It's interesting that you attack Microsoft for secrecy but say nothing about Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.

      You seem to be under a misapprehension here. I'm not defending Apple. I'm simply pointing out that Microsoft has more ability to hide security flaws in their software than any company that uses a significant amount of open-source software, and thus they can artificially reduce their "score" in this game to a far greater extent than either of the other organizations mentioned by Jones. That is, regardless of Apple's motivations and actions, they are simply not capable of hiding patches as effectively as Microsoft.

      So:

      1. Microsoft has more ability to "game the system" than Red Hat, Apple, or any other organization using a significant amount of open-source software in their product.

      2. Microsoft has acknowledged that they are engaged in gaming the system.

      I would be happy to discuss Apple's past behavior in an appropriate context. In fact if you google around you'll find that I've been quite critical of Apple when I've felt it warranted. There's plenty of other skeletons in Microsoft's closet if you want to get into a fan war, but you'll have to find someone else for THAT debate... again, google around, you'll find I defend Microsoft when I believe it's warranted. Basically, I'm poorly equipped for the kind of debate that requires uncritical acceptance or dismissal of of one company's position on every subject.

      Here and now, Microsoft's figures can not be accepted on face value. Unless Microsoft reveals ALL the details of the vulnerabilities they've corrected they can't be considered comparable to even Apple's figures with their heavy loading of open source software, let alone Red Hat's.

  13. Flawed Logic by asphaltjesus · · Score: 3, Interesting

    First sentence is correct. Author didn't distinguish bug/vulernability.

    The second sentence, while double-plus-good Microsoft PR speak, is critically flawed reasoning.

    If the parent said "Known Vista vulnerabilities..." I would agree, but that still glides over many fundamental liabilities that Microsoft products push onto the customer like:
    1. The concept of security in Microsoft products means protect Microsoft's intellectual property.
    2. No one can reasonably predict the scope or scale of Microsoft vulnerabilities.
    3. Given Microsoft's history of producing "secure" operating systems, it is reasonable to assume there is no evidence end-user security features makes it through to the end product. Note carefully, Microsoft has *very* talented programmers who can code securely after all their monopoly status affords them this luxury. I'm saying that their work doesn't make it all the way through the management gauntlet. UAC is a perfect example. It is not a security boundary. http://blogs.zdnet.com/security/?p=175

    The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing. As every other Microsoft OS has shown, there will be critical vulnerability surprises. It's a matter of when, not if.

    --
    Got Trader Joe's? friendwich.com RSS feeds work now!
  14. Not the article I read. by twitter · · Score: 2, Insightful

    The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS:

    He published the data in an effort to show how Microsoft's software development methodology, called the Security Development Lifecycle (SDL) is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.

    "This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. "If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don't actually write the majority of the packages they include," he said via e-mail.

    "Alternatively, force Microsoft to include all vulnerabilities in common third-party software," he added. "For example, the thousands of exploitable ActiveX controls that... vendors include with a Windows system."

    So, the end user experience is likely to be unchanged, if they can even get Vista to work. As is always the case for a new Windoze release, the drivers are not there. Worse, new digital restrictions schemes make for poor performance even if they do get work. "Trip bits" and other nonsense make Vista a poor performer by design.

    --

    Friends don't help friends install M$ junk.

  15. Bottom line: M$ experience sucks. by twitter · · Score: 2, Interesting

    the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

    The fact that only M$ machines get screwed and die along with your work is a good reason to avoid the platform.

    --

    Friends don't help friends install M$ junk.

  16. Re:And so... by Doctor+Crumb · · Score: 2, Funny

    Let's dig up one of the old /. favourites:

    "The only reason XP is the target of so many viruses is because it is so widely used! If Vista was as popular as Windows XP, there would be just as many viruses written for those platforms!"

    (firmly tongue in cheek, I'm aware that Vista's UAC is still a pale imitation of a real security model).

  17. Two steps forward, one step back. by fahrbot-bot · · Score: 2, Interesting

    My guess is that it may be harder to fix things in Vista without breaking something else (like DRM functions) ...

    --
    It must have been something you assimilated. . . .
  18. Fallacy by Anonymous Coward · · Score: 3, Informative

    You sir should think before you post.
    You might want to follow your own advice.

    That goes for you too!

    You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

    I don't think this qualifies as an "invalid equation." Maybe if he was trying to say that a Mac is a PC, or that OSX is Vista, that would be an invalid equation.

    What you are thinking of sounds much more like the fallacy of "affirming the consequent." Specifically:

    If my OS is secure, then it will never be hacked.
    My OS has never been hacked.
    Therefore, my OS is secure.

    Though the first premise may or may not be weak on its own grounds, the argument is formally invalid. In your post you even go on to demonstrate cases in which an insecure OS may never be hacked. This is the traditional means of demonstrating the formaly invalidity of the fallacy of "affirming the consequent."

    Sounds like you had the right idea, but you mis-identified the fallacy in question. If you are going to serve as a logician, doing it properly will avoid some embarrassment.