Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vista Security Claims Debunked

Posted by CowboyNeal on from the setting-things-straight dept.

An anonymous reader writes "Apparently Microsoft still hasn't learned that counting vendor acknowledged vulnerabilities isn't a good way to establish the security of an OS. As an analysis of Microsoft's claims on Full Disclosure shows, we see that the methodology used was badly flawed. A bug in Firefox (not to mention emacs), counts as a flaw for Linux, while IE bugs get ignored on Vista's chart. Then we see that vulnerabilities aren't vulnerabilities when they're security-challenged features such as Vista's Teredo. Also, there's far too little consideration given to severity, given that it stoops to counting even extra access restrictions on a file in OSX to have something to show. In short, the original Microsoft analysis was good PR and poor research."

6 of 315 comments (clear)

  1. Re:The really sad part.... by Sigma+7 · · Score: 4, Informative

    Perhaps because Windows XP and Vista don't show BSODs anymore but rather just restart the whole system silently, leaving it up to the user's imagination what has caused this? Right click on My-Computer, select properties. Click on Advanced System Settings. Under the advanced tab, click settings for Startup and Recovery. Uncheck Automatically Restart.

    Alternatively, press F8 during bootup and disable automatic restarts.

    I am not trying to rant (well.. okay, partially I do) but how exactly does stability issues concealment count as good engineering? Unless you are in a reboot loop, or have a persistent failure of your system, you generally want to restart the computer if there's a STOP error.
  2. Re:Don't accept abuse. MS apparently lied. by Lonewolf666 · · Score: 3, Informative

    My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief. The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is not only the vulnerabilities that are expensive.
    Better yet:
    Wait until the service pack is out and independent reviewers are happy with it. Because if people stick to the rule "after SP X things are fine", it is merely an incentive for Microsoft to rush the service packs until the number X in question is reached.
    In the case of Vista, it seems Microsoft was already organizing the beta testing for SP1 before the OS was released to end users:
    http://news.com.com/2100-1016_3-6152704.html
    That article was from January 23rd. Looks like the beginning of a trend to increase the SP count as fast as possible.

    --
    C - the footgun of programming languages
  3. Re:Where is the debunking? by GreatBunzinni · · Score: 5, Informative

    I read the article pretty carefully. I don't see any actual numbers to back up this "debunking".

    That's because you are gullible enough to believe the hype, aggravated by your lack of will to perform a basic search for the facts. Here is a bit of debunking from a quick google search.

    From Secunia's advisory atatistics:

    Those are real world facts supported on real world evidence which is freely available to the public. It isn't a random blog entry which is based on god knows what data which is only known by the author and possibly doesn't even exist. So where in fact is there a need to "debunk" a moronic, unsubstantiated claim made by some microsoft employee, specially when there is all that evidence right in front of everyone's face?

    --
    Slashdot, fix your code or at least hire someone who is competent at it to do it for you.
  4. Re:The really sad part.... by SCHecklerX · · Score: 3, Informative

    Back when windows 95 shipped it was head and shoulders technically better than the other operating systems targeting average everyday folks.


    No it wasn't. OS/2 was waaaaay ahead of win95 in pretty much every way.
  5. Re:Microsoft found making PR-FUD-ing research by digitig · · Score: 4, Informative

    - If many people are analysing code, you will find more bugs. If you don't review your code (or for example, don't have peer review - which closed source often lacks.) Then no bugs at all will be discovered.

    - The existing number of unfound bugs is related to the number of discovered bugs. Well no not really: The number of found bugs is actually related to how long and how many researchers have been testing and actively looking for the bugs and second to that is how buggy the software is. I can assign a team of one researcher with no experience and they'll never find any bugs in the poorest of software.

    There's a good discussion of this from software metrics guru Norman Fenton at http://www.dcs.qmul.ac.uk/~norman/papers/metrics_r oadmap.pdf, which shows that the existing number of unfound bugs is related to the number of discovered bugs. It's related negatively. In one sense this is a "well, duh!" finding -- that the more bugs you've discovered, the fewer are undiscovered. But much software quality assurance is founded on the assumption (which realise is what you were really challenging) that number of bugs discovered is positively correlated with number of bugs undiscovered. The empirical data says otherwise.
    --
    Quidnam Latine loqui modo coepi?
  6. Re:Microsoft found making PR-FUD-ing research by Anonymous Coward · · Score: 4, Informative

    Windows Vista is "dramatically more secure than any other operating system released", Microsoft founder Bill Gates has told BBC News.

    (Emphasis added.)