Microsoft Says Vista Has the Fewest Flaws

ancientribe writes "Microsoft issued a year-one security report on its Windows Vista operating system today, and it turns out Vista logged less than half the vulnerabilities than Windows XP did in its first year. According to the new Microsoft report, Vista also had fewer vulnerabilities in its first year than other OSes — including Red Hat rhel4ws, Ubuntu 6.06 LTS, and Apple Mac OS X 10.4 — did in their first years."

Fewest Users = Fewest Flaws

[tommyatomic]

It has the fewest flaws found because it has the fewest amount of people looking for them.

Re:Fewest Users = Fewest Flaws

[timmarhy]

you people then have to accept linux has the same problem, since far less people use linux then vista. you have all attempted to debunk that same claim from MS for years, to claim otherwise is 2faced.

Re:Fewest Users = Fewest Flaws

It's also not really a reliable metric, given they're basing it on internal analysis. That's like saying that I'm the best coder in the world based on my own analysis of my code. Ridiculous. Why does anyone give any credit to ANYTHING coming out of Microsoft? 99% of the time it's utter bullshit.

Re:Fewest Users = Fewest Flaws

[Repossessed]

If you want to fix the resume bug for your hardware, disable the power off of the given device in power management.

Re:Fewest Users = Fewest Flaws

[lnxpilot]

It's not just the user base, but the time since release.
Yes, Linux has a smaller user base, but it's been around much longer than Vista, so crackers had more time to find vulnerabilities.

Re:Fewest Users = Fewest Flaws

[1u3hr]

Slashdotters have maintained for years ....

Some people have posted this on Slashdot. To maintain that there is a single "Slashdotter" point of view is just a straw man. For ANY point of view you can find hundreds of posts by "Slashdotters" supporting OR contradicting it.

MY PERSONAL point of view is that the statistics presented are suspicious. Previous MS press releases (aka "independent reports") have counted the same error multiple time, have counted bugs in applications bundled with Linux against OS bugs in Windows, etc.

Re:Fewest Users = Fewest Flaws

[Andrzej+Sawicki]

That's not a fix, that's workaround. The functionality remains broken, no?

Re:Fewest Users = Fewest Flaws

[Chrisje]

Congratulations on not being a bigot and actually thinking about what you write. In the tiresome ocean of "Of course, Vista don't have any users" comments, "You can't trust statisticz" comments, "Microsoft is comparing Apples (no pun intended) to Oranges" comments and the obligatory "Linux has more code" remark, your balanced appraisal of the situation is refreshing.

It's a shame that I haven't bothered to find out how the moderation system works yet, otherwise my praise to you, Sir, would be in hard karma currency.

Re:Fewest Users = Fewest Flaws

[catwh0re]

Let's look at linux, OSX and a few of the other open source based operating systems. All of these systems share a bit of code. So when a bug is found, it's a plus 1 for each of these operating systems. Bugs are found because between all of these operating systems, there is quite a high aggregate number of users(it's pretty stupid to count them as completely separate install bases) - many of these users fit well into the venn diagram for: IT informed & technical persons who are able to find such flaws and bugs in software.

This contrasts significantly with the majority Windows user base, most people are first greeted by Windows because their computer came with it pre-installed.. They generally don't know much about programming and certainly aren't responsible for programming the operating system they're using. They buy software which they learn just well enough to get by; But there are also many Windows users who are quite savvy.. and many of those have downgraded to the arguably more suitable Windows XP OS.

So even though Microsoft can easily cook the numbers. Let's look at a few more realities. In the world of open source, there is no hiding your vulnerability tally - because everyone sees the code and can check it. There is no such thing as the creative multiple patching of entire subsystems which are counted as a sole vulnerability. Which is very easy to do when you hide your source code from the public.

Microsoft is a company who has a real marketing benefit for showing (read: or pretending) that the overall number of vulnerabilities is lower over the first year. When this creative-counting is already under scrutiny, as there is no held standard for counting vulnerabilities and there is especially no transparency in how Microsoft validate what is a serious vulnerability and what is not.

Now since Windows recycles so much code, you can also argue that of course Vista would have less vulnerabilities than XP, after all the entry-level security bugs should all be caught by now, with only newer features having the baptism of fire. This is why userbase makes a difference.

Also webhit tallies from a particular research service provider are useless, as linux machines tend to power the web - and not surf it. (When you're powering a website, e.g. banking, you are more concerned about vulnerabilities than say a mother who just bought her family a computer. So in this example - coders are actively looking for bugs, go figure they find more - that's what happens when you look for something.)

Finally slashdotters do argue that exploits are targetted at larger OS market shares (naturally they want the largest possible penetration.) They don't however say that the bug count is similarly controlled: Bugs found = number of unfound bugs * proficiency of the people looking for them.

Also your figures for computer adoption are incorrectly used. (as was most of your data - you tend to convey more from the data than what it factually states.)

Bad metric

[gilroy]

It's important to recognize that you can't possibly measure which OS has the fewest flaws absolutely. You can only measure which OS has the fewest flaws reported (or discovered). Since the number of flaws reported is proportional to the number of people using the OS, and no one is using Vista, it's natural that it'd have the fewest reported flaws. :)

Re:Bad metric

It's important to recognize that you can't possibly measure which OS has the fewest flaws absolutely. You can only measure which OS has the fewest flaws reported (or discovered). Since the number of flaws reported is proportional to the number of people using the OS, and no one is using Linux, it's natural that it'd have the fewest reported flaws. :)

see how stupid that sounds put in a different context? I hate MS as much as anyone here but there enough spin on this to make you vomit. by your logic, linux should have had far far fewer vulnerabilities relative to vista because it's on about 1/20th as many systems... period.

Re:Bad metric

It's important to recognize hat you can't possibly measure which OS has the fewest flaws absolutely. Even if it were actual total numbers of flaws being measured, it would be a pointless comparison for anyone choosing an OS. Inside Microsoft it may make sense to slap each other on the back and say how great it is that they have fewer flaws than last time. For anyone else, the question is not how many flaws Vista has today compared to original unpatched XP, it's how many flaws Vista has today compared to XP today. Same for any other OS you want to compare it to. "It's not as bad as [whatever] used to be!" is not a selling point. It's stupid to even suggest it.

How are they logged?

[Nefarious+Wheel]

Is this via support calls or just little modal dialog boxes that people are tired of clicking "send" on? Or are they filtering out things they've already encountered in XP? Statistics are a great aid to the common lie.

Re:Fewest Admitters = Fewest Flaws

[Harmonious+Botch]

It has the fewest flaws found because it has the fewest amount of people admitting to them

mod parent up

[mattwarden]

Parent has it exactly right. This is likely another statistical half-truth. Tell us % of users reporting flaws and let's compare that to XP's first year.

Number of vulnerabilities -- who cares?

[Niten]

For the last time, you just can't add up the number of vulnerabilities in separate products from different authors and expect to glean any meaningful information from numerology thereon. This is especially true when contrasting one closed-source product from a vendor with questionable security reporting practices (say, Windows), and an open-source product where every single flaw of any level of significance is public knowledge (say, Ubuntu Linux).

I'm tired of seeing such claims about vulnerability tallies parroted in Slashdot summaries without the least bit of skepticism regarding their relevance. This sort of thing has already been debunked a million times over on this site. Come on, editors, a little quality control would be nice...

Exploiters focusing on Mature & Established OS

[Zymergy]

Could the reason there are fewer exploits in the first year of Vista (Verses XP) be due to the fact that it has a reluctant adoption rate bu users and the OS exploiters are likely focusing their efforts on current Operating Systems that are more stable, known, and in higher use.
Give it time...
Besides, now that Microsoft has set 2009 for the new "Windows 7" release target date, it seems that Vista may be the new short-lived 'Windows Me'.

Absolute flaws reported doesn't work

[arotenbe]

I think that is a silly measure of bugginess. Not only does the number of flaws reported being less reflect lower usage of Vista, it also likely says the the reporting system is difficult to work with. If anything, I think the fact that the non-Windows systems have a higher number of flaws reported indicates that they have easier-to-use bug reporting systems. The correct way to measure statistics on things like this is either to have a third party subject them to a standardized battery of tests (indicating actual security levels) or to measure the ratio of bugs fixed to total bugs reported (indicating the development team's ability to correct reported flaws quickly).

Re:Fewest Admitters = Fewest Flaws

[The+Clockwork+Troll]

The real story (in TFA's linked report) is the comparison to Linux distributions' 1-year security patch metrics, e.g. for RHEL4:

• When rhel4ws shipped on February 15, 2005, there were 129 vulnerabilities already publicly disclosed in shipping components prior to general availability. On ship day, Red Hat issued 27 security advisories to address 64 of them.
• During the first year of availability, Red Hat issued 183 security advisories/updates for rhel4ws. If limited to just Critical and Important issues, there were 88 released on 57 different days.
• During the first year of availability, Red Hat fixed a total of 493 vulnerabilities in rhel4ws. If limited only to those vulnerabilities labeled Critical or Important by Red Hat, the number of vulnerabilities fixed is 214.
• At the end of the first year period, there were 82 vulnerabilities disclosed but without a patch (that would later be addressed with different fixes and security advisories). Adding that to the fixed vulnerability count tells us that a total of 575 vulnerabilities were disclosed in RHEL4 components during the first year.

So ... assuming RHEL4 has a much smaller installed base than Vista (let alone XP), what does this say about the security of enterprise Linux? What does it say about the worth of "quick" security metrics like patches in first release year?

Re:Fewest Admitters = Fewest Flaws

[techno-vampire]

And how many installs are on new machines, where the buyer had no choice? How many of those forced installs have been wiped out by now and replaced by XP, 2K or Linux?

Re:Fewest Admitters = Fewest Flaws

[cp.tar]

How many of those were kernel patches, and how many were related to other applications?

Statistics

[wannabgeek]

Reminds me of a quote - "Statistics are like humans. Torture them enough and you can make them admit anything you want".

Re:Fewest Admitters = Fewest Flaws

[techno-vampire]

I'm sure most people do. However, it's still hard to find new laptops without a pre-installed OS. Also, I know there are people buying computers with iCandy installed and replacing it with XP; I'm going to be doing exactly that for a friend later this week.

Re:Methodology has issues

[djcapelis]

I think the GP wasn't talking about the kernels. Linux distros simply distribute much much more software than comes with your average proprietary OS.

Most will issue a security advisory when there's a bug in apache, mysql, postgres, sqlite or all of these types of things. Microsoft doesn't issue an advisory about a bug in Oracle. On Linux, the distros take responsibility for a much much wider range of software than Microsoft does on their platforms.

Re:Fewest Admitters = Fewest Flaws

[seifried]

Might be a rewrite but chances are you either had the same people rewriting it, or at the very least the same mindset/corporate culture/etc. rewriting it, so it probably didn't end up all that different (based on results this looks pretty likely).

Re:Methodology has issues

[riseoftheindividual]

Don't change the subject, he didn't say better. And as far as a defense, it's not, it's an explanation. When microsoft ships with several different database packages, several different browsers, several different desktop environments, several different office suites, a crapload of various network tools, applications, etc... that a typical linux distro ships with, and manages to pull off less bugs, then they can use such comparisons to prove something. Until then, it's like comparing the number of problems found in a storage shed to a skyscraper, and using that comparison to try to argue that the shed is better since it had less reported problems.

Re:Yeah, cause nobody uses OS X!

[EraserMouseMan]

Us Mac users never believed in this line of logic. Right?

Re:Fewest Admitters = Fewest Flaws

Right, who cares about VISTA? Why bother if you're a hacker; it's not even a challenge to hurt MSFT anymore; they've done it themselves, in spades.

You also forget something else DRIVERS!

[SmallFurryCreature]

Where are you drivers in linux? Where do you download them? Why you don't, they are IN THE KERNEL!

So Linux "The kernel" does a lot more then MS does with its core OS because MS still asks you to download a ton of drivers. This is part of their strategy, it allows them to shift blame to the driver instead of their OS. If you really got a problem with MS software and actually have some support (check your MS license, you pay for the software, there is no support) then your first job will be to convince them the bug lies with them and not some combo of drivers that you had to install.

That is why these MS reports are so silly, you really can't compare the two "distro's". MS Vista does far less then a Linux based distro like Ubuntu BUT they don't have a bare kernel they distribute but even if it did it does far less then the linux kernel.

So what are you comparing?

Also not that security bugs in Vista affect EVERY vista user because all the installs are the same. A linux distro bug in PHP affects only those who use PHP on their linux distro. MS funded research has in the past made lists of security bugs in linux where they counted the same bug multiple times for each distro it was in. That is kinda like saying "Just look at our competitors cars, they made 1 million of them and 1000 of them had the same fault. Meanwhile our 1 model has just one fault, the brakes don't work. We are BEST!"

MS, FUD at its best.

Fewest vilerabilities != Fewest flaws

[Facegarden]

Fewest vulnerabilities doesn't mean it has the fewest flaws... Freezing, poor driver support, poor program support, these things are flaws, yet have nothing to do with security vulnerabilities. I love vista, i've run it since the betas and run a legal copy of ultimate that i paid for with my own money, and i've been able to generally make stuff work, but having to use workarounds to make stuff work is a flaw, in my opinion, and having good security is nice, but not if a bunch of stuff i've used for years doesn't work. I want to be an MS fanboy but i can't. I use vista at home because i can deal with it's shit, but i buy a new computer at the office, i make sure it has XP, because reliability is king at work. Lack of a reliability is too big of a deal to leave it out of the category of "flaws"... -Taylor

Ridiculous comparison...

[Bert64]

Again, a ridiculous comparison based on reported security holes...

Microsoft are in the best position to find holes in vista, having the source code. They have no incentive to report them, and will just fix them silently. OSX is in the same boat but to a lesser degree, and with ubuntu/redhat all the issues will make it into the public domain. The only vista issues which make it public, are ones discovered by third parties, which are probably less than the number found internally because internal developers have access to the source, access to the original devs and a more intimate knowledge of the inner workings.

Then you have to consider functionality, vista comes with one web fairly old web browser, one mail client, a rudimentary text editor, a single-protocol im client, a trivial drawing program, a simple media player with a small number of codecs and a few very simple games... Ubuntu/RHEL come with multi protocol im clients, a full office suite, a larger number of slightly less simple games, a larger and more capable set of networking tools, scanner software, fully capable drawing software, a much larger set of hardware drivers bundled by default, and lots more besides...

It's like trying to compare the rudimentary "peoples cars" produced in the former USSR, with only rudimentary features and a largely hidden safety record, to the luxury cars being produced in the west around the same time... Try comparing a Zaporozhet to something like an E-type Jaguar.

Re:Fewest Admitters = Fewest Flaws

[Bert64]

And also, how many of these were patches for applications that vista doesn't ship with an equivalent of?

And how many of these patched flaws were discovered by the developers of those applications? Which in RH's case means the issue is published, but in MS's case would not be published.

Re:Methodology has issues

[Bert64]

The kernel itself is simpler, the difference is drivers...
Windows doesnt include many drivers, most are sourced from third parties.
It also doesn't include many optional components, anything optional tends to come from third parties too.

Linux ships with a large set of hardware drivers in the kernel, although they can be turned off.. Windows comes with things like video support that can't be removed, and which needs third party drivers to work properly.

Re:Report says Ubuntu is better!

[Bert64]

And how many were patched silently without being publicly disclosed?
Will microsoft be willing to disclose their internal changelogs (if they even exist) detailing exactly what changes were made to code and why? Vista SP1 looks to be huge, how many vulnerabilities known only to microsoft are going to silently get fixed without ever being disclosed to the public?

Re:Fewest Admitters = Fewest Flaws

[nschubach]

Which in RH's case means the issue is published, but in MS's case would not be published.

That's what I think this is all about. Microsoft can publish whatever number they want as the number of "vulnerabilities" to make itself out as the "good guy" while distributions of Linux put it all on the pavement so everyone can see what has been fixed or will be soon.

Re:Local privilege escalation vulnerabilities?

[miffo.swe]

From what i understand their stance on this is that anything that is catched by UAC is not considered a security issue. Its not a local privielege escalation, Microsoft just blame the user who pressed OK. The security isnt better, its just the difficult decisions that has been lumped into the users.

This is ofcourse bad in the long run as most Windows Vista machines will get malware and become bots just as easily as Windows XP while Linux becomes more and more secure through the constant patching of all the apps.

Re:Fewest Admitters = Fewest Flaws

[peragrin]

no it doesn't as if you change windowsupdate.microsoft.com to anything else windows bypasses it and goes straight for the proper site.

this is both good and bad. good in that you can always be assured of quailty updates from msft, but bad in that you msft can't follow proper security procedures to secure hosts files.

Re:Fewest Admitters = Fewest Flaws

[vtcodger]

***If they completely ditch backwards compatibility, they could remove all this old cruft and start again with a proper clean design, but as usual they're taking a half-assed poorly thought out approach.***

At the risk of pointing out the obvious, if Microsoft abandoned backward compatibility, they'd lose most corporate users and many home users as well. You don't need an MBA to see why that is not a promising idea.

About the best they can do is what they did with NT. Jack the whole unwholsome mess up, and insert a new frame and engine under it. They did that with NT without all that much success. (Windows 95 runs about as well with far fewer resources if you don't mind a crash every few weeks). I suppose they can try again, but I doubt the results will be any better.

Maybe the idea would be more appealing if there were a "clean" design out there that was actually any better than NT, Unix, OsX. But I don't think there is. AFAICS, for several decades, OS design has consisted of shuffling the subsystems of a 1960s mainframe into slightly different configurations and slapping a shell on it. It's not that I can do better. I can't. Maybe NT, Linux, Vista really are the best we can do. That's a depressing thought.

Secrecy

I would think that one major difference is that Linux is public. We admit to our security problems and they're counted. Exactly how many Vista security problems that Microsoft discovers are made public?

Another case of apples and oranges is open vs. closed source. The bug count for Linux includes many security issues that are uncovered through analysis of source code ... Microsoft gets to hide behind obscurity. These problems will come out eventually. Personally, I have much more confidence in code that's been exposed to "many eyes" and Coverity. Let's get real and talk about the number of flaws that Coverity exposes in the Linux kernel vs. the Vista kernel. Anyone who relies on a brand new kernel to be secure will get what they deserve as the flaws become exposed.

Now, let's talk about real issues like the number of viruses that affect Vista and then let's compare the number of zombies that Microsoft has created. If MS made cars, or any other tangible product, they'd be out of business due to all the class action lawsuits about unsuitability.

I'd go on, but why bother, MS is *always* so full of shit it's not worth the time it takes to post this.

Beauty is in the eye of the beholder

Leave it to Microsoft. Vista has the fewest amount of flaws only because all the bullshit crashes, lockups, application instability and ambiguous error messages are FEATURES, not flaws.

Re:Fewest Admitters = Fewest Flaws

[Hal_Porter]

Also note, that (somewhat hypocritically) all versions of Windows prior to Vista borrow quite a bit of their networking code from BSD. Umm, like what? If you look at the TCP/IP stack in the Windows 2000 source code leak it's nothing like BSD. As you'd expect really, given that the top level API to the OS and the bottom level API to device drivers as vastly different and much more complicated than the ones you would have in Unix. They also need to be preemptible and thread safe, and it's safer to write that code from scratch than patch up some single threaded stuff from BSD. And it's not like Microsoft have a shortage of people do do it from scratch.

Maybe there is some BSD code buried in FTP.exe or some user mode stuff but so what? Even if a few functions in kernel mode are from BSD, so what actually? And why is it hypocrisy BTW? Microsoft have spoken out against the GPL, but they have never done so against BSD.

Fuzzy Logic

[Crane+Style]

Even on a (stupid) vulnerability count, even with a reduced package setup, the number of packages on a RHEL/CentOS system dwarfs the number of programs that come with Windows.

You're living in a dream world. If you look at only .exe's in the system32 directory of a vanilla WindowsXP system there are well over 300. If you start to add up the "packages" that provide dll's or other executable file that are not explicit .exe's then you're easily into the 1100 range. That doesn't even take into account how many of your 1100 packages are just stubs anyway, but that's for a different day. The major flaw in your line of thought is that in your mind, dhcp support in Windows isn't a separate package whereas in CentOS it is. BTW, Acrobat Reader, Photoshop, Office and WoW are not components that would be included with the default installation. Put it like this, if you put in the install cd of whatever OS you'd like, do nothing but click next all the way through the installer and see what you've got when you're done. That's what he's saying, Photoshop isn't on that list.

Re:Fewest Admitters = Fewest Flaws

[petermgreen]

They did that with NT without all that much success. (Windows 95 runs about as well with far fewer resources if you don't mind a crash every few weeks).
It doesn't, on 9x try making the taskbar a couple of rows high and opening browser windows until it's full with small icons, you will notice things start falling over. Now try doing the same on a NT based version, no problem. Also 9x has absoloutely no concept of user permissions, every user is essentially god.

The real problem that MS is still trying to find a way out of is that most win32 programmers wrote apps that assumed no security because they were developing on a platform that had no security.

P.S. if you really want to stop windows systems getting messed up without stopping apps working windows steadystate rocks.

Re:Fewest Admitters = Fewest Flaws

[rtb61]

Now of course it wasn't all that far back into last year, where M$ took retaliatory action against a individual how outed them for failing to fix a security fault in Vista. In fact M$ make it a standard procedure to keep these faults secret and will attempt retaliate against anyone who announces a security fault.

So now they actually have the gall to say that (P)OS Vista has fewer declared faults or to quote the article 'complied the number of vulnerability disclosures and security updates", what a pack of lying, deceitful, misleading ass hats.

There not even pretending to be honest, public vulnerability disclosures and security updates, versus the number of faults that have actually been found, and have not been fixed and those people who found them have been threatened with legal and financial sanctions if they disclose them.

So reading between the lines M$ security and legal have been far more effective in preventing public disclosure of windows security vulnerabilities and their failure to fix then they have in the past.

numbers and nonsense

[Tom]

Statistics lie for whoever pays them.

There are many more interesting numbers than such a simple count. For example, as a user, I don't care at all for the number of fixed bugs, I care a lot more about the number of unfixed bugs.

And that's just the tip of the iceberg.

Re:Fewest Admitters = Fewest Flaws

[courtarro]

Right because we all install 100 apps a day or make 100 system changes a day. I'm on my PC a lot and rarely get asked to continue. When I do, it's an install or a system change. Which makes sense.

Power users will be annoyed with UAC right from the start. It's okay if it asked only for deep system changes, but printing to a network printer? I'd like to see a poll of how many people still have UAC enabled.

Correcting you, you only need a huge amount of resources to get Vista with all it's eye-candy. Feel free to turn it off to get performance you can live with. In fact, when you install it, the OS suggests what level of eye candy.

Vista needs some serious horsepower whether you have the eyecandy enabled or not. The eye candy causes a big increase, but I had to upgrade my machine's 1GB of RAM to reach a reasonable level of performance even with Aero turned off, in order to run any intensive apps like Eclipse or Photoshop.

Lets start with the built in DRM - I only agree with this about Vista itself. Vista needs to be activated, etc.. Otherwise, what are you talking about. Vista doesn't check or care if I download 100 new movies and songs from my favorite torrent, burn then to DVD, upload, etc...

Just you wait until you buy that fancy new Blu-ray drive only to discover that Windows refuses to output DRM'd HD video to your monitor because it has no HDCP support. Vista has DRM that reaches deep into the subsystem, and when companies begin to take advantage of those features (by flagging Windows Media files appropriately), I bet you'll be surprised at what Vista refuses to let you do.

I use Vista at work because my laptop came with it, and if I could start over again I'd wipe it and go with XP. The wireless behavior is terrible, NetBIOS-based file shares are still spotty, the file explorer refuses to remember my preferences, files sometimes end up mysteriously undeleteable, and the new Minesweeper sucks. Windows 2000 people were against XP when it came out, but most folks came around and XP is now one of Microsoft's most solid operating systems. Vista is receiving much more flak than XP ever did, and while it might end up improving in the end, the negative press has left a pretty big scar.

Re:Kudos to Microsoft

If Microsoft's claims were backed up by independent 3rd party analysis I'd agree with you. But their "we're awesome cuz our Mom say so" statistics are immediately suspect and extremely likely, given the source, to be bullshit.