Slashdot Mirror
More Than Half of Known Vista Bugs are Unpatched
MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."
First, the author of the submission doesn't know the difference between a bug and a vulnerability. Second, the title ought to read: "Vista Vulnerabilies are Less Serious than in XP" (and there are fewer vulnerabilities in Vista than in XP in total).
That's the reason why only half of them were fixed while in XP most of them.
I've got two older brothers, I don't think that makes me stupid. ;)
http://twitter.com/onion2k
Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP,"
So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?
When our name is on the back of your car, we're behind you all the way!
So naturally his IQ is 3 points lower than his older brother XP.
Apparently the developers of Vista are following that trend too!
I know our hobby is slagging of microsoft, but hey, copying Linux seems to be working out for them.
Oh, damn. My carefully crafted, pro microsoft reply, slipped into the usual M$ bashing. They are such an easy target. I can't help my self. Just like women drivers. I don't mean to joke at their expense, but sometimes the jokes, they slip out. I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'
An oldie but a goldie. Feel free to use that one.
monk.e.boy
Open source, flash charts
Well, they didn't.
If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.
Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.
Gotta love it. Slashdot is the GOP of technology news sites.
And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.
My blog
Then read the actual report: http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Re port.pdf
It sounds bad because the person who posted it to Slashdot, and Slashdot's editors, want it to sounds bad. Are you new here or something?
But no matter how good your code is, things will be missed. That's the point of having things like Address Space Layout Randomization, IE 7 Protected Mode, Session 0 Isolation, and the dozens of other security layers that Microsoft added to Vista.
Furthermore, being rated non-critical can often mean that it requires significant user action (like turning off multiple security features) in order to make a user vulnerable.
What's next, are you going to blame Microsoft when a user smacks their motherboard with a hammer?
The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course.
Otherwise, keep your silly analogies to yourself.
The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.
That's quite a statement. I don't have evidence supporting anything either way but I still have a hard time swallowing that one given my past experiences. More secure than previous Windows systems, perhaps. Most secure OS on the market? That's probably a bit of a stretch. Personally, I would still be far more comfortable with the security of any of the BSDs, Linux, Mac OS X, Solaris, or any other flavor of UNIX. Not to mention more obscure operating systems.
Furthermore, it's extremely difficult to prove such things. Simply looking at the number of vulnerabilities is nowhere near adequate and, given your statement, I think the burden of proof would be on you.
It's very difficult to compare the security of OpenBSD to Vista, because of what is included. OpenBSD, for example, doesn't include a web browser in the base system. It includes X11, but not a complete desktop environment. For it to be a fair comparison, you would have to compare OpenBSD + GNOME (for example). On the other hand, OpenBSD includes a number of things that aren't in Vista, such as a compiler, so you might have to throw in Visual Studio. But that's an IDE, so maybe throw Eclipse into the OpenBSD pile...
I am TheRaven on Soylent News
While I've certainly heard of Microsoft not disclosing the vulnerabilities until their patches are released, I've never heard of them patching things completely in secret. Do you have any citations to back that up?
Skeletins in Microsoft's Patch-day Closet
It's interesting that you attack Microsoft for secrecy but say nothing about Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.
You seem to be under a misapprehension here. I'm not defending Apple. I'm simply pointing out that Microsoft has more ability to hide security flaws in their software than any company that uses a significant amount of open-source software, and thus they can artificially reduce their "score" in this game to a far greater extent than either of the other organizations mentioned by Jones. That is, regardless of Apple's motivations and actions, they are simply not capable of hiding patches as effectively as Microsoft.
So:
1. Microsoft has more ability to "game the system" than Red Hat, Apple, or any other organization using a significant amount of open-source software in their product.
2. Microsoft has acknowledged that they are engaged in gaming the system.
I would be happy to discuss Apple's past behavior in an appropriate context. In fact if you google around you'll find that I've been quite critical of Apple when I've felt it warranted. There's plenty of other skeletons in Microsoft's closet if you want to get into a fan war, but you'll have to find someone else for THAT debate... again, google around, you'll find I defend Microsoft when I believe it's warranted. Basically, I'm poorly equipped for the kind of debate that requires uncritical acceptance or dismissal of of one company's position on every subject.
Here and now, Microsoft's figures can not be accepted on face value. Unless Microsoft reveals ALL the details of the vulnerabilities they've corrected they can't be considered comparable to even Apple's figures with their heavy loading of open source software, let alone Red Hat's.
Vista: The program ~_AllofTheBestOffers.exe is attempting to escalate its privilege level, Cancel or Allow?
User: Allow, Allow, Allow (dangit where is the free pron already?)
Vista: The program ~tracker.exe is attempting to change the firewall settings, Cancel or Allow?
User: Change the what? Allow...come on
Vista: The run32.dll has been altered since the last system scan do you wish to proceed? Cancel or Allow?
User: sigh....Allow
Vista: Windows has been updated and must be restarted, Cancel or Allow?
User: hmmmm....don't remember getting updates but updates are good...Allow
Several weeks later....
User: What is going on with all of these popups and free pron offers? Isn't Vista supposed to be more secure?
Support: Did you try rebooting?
User: yes, yes, yes I have already done that.
Support: Well, we can send you a new motherboard w/installation instructions....
User: Thanks, but my bank is on the other line...I am having some trouble with my accounts. Can I call you back?
Support: We are here to serve all of your customer service needs.
User: Uh, yeah whatever, bye.
The moral of this story is that no matter how many times the user is forced to click Allow, I agree, Yes, or Continue in order to shoot themselves the foot they will find a way to do it guaranteed. It may be true that Vista is better than XP is or was out of the box, but they have to assume that even though the user would have to click Allow ten times for some malware to get through that it will happen and not just to a couple of people either. They should at least tell people that they are working on the fixes instead of saying, "well if you are smart you wont get hacked, just don't always click allow."