Slashdot Mirror
Microsoft Says Vista Has the Fewest Flaws
ancientribe writes "Microsoft issued a year-one security report on its Windows Vista operating system today, and it turns out Vista logged less than half the vulnerabilities than Windows XP did in its first year. According to the new Microsoft report, Vista also had fewer vulnerabilities in its first year than other OSes — including Red Hat rhel4ws, Ubuntu 6.06 LTS, and Apple Mac OS X 10.4 — did in their first years."
Is this via support calls or just little modal dialog boxes that people are tired of clicking "send" on? Or are they filtering out things they've already encountered in XP? Statistics are a great aid to the common lie.
Do not mock my vision of impractical footwear
- because it seems nobody's actually using it.
In related news, BeOS showed few vulnerabilities this year...
--- We are not in the 8th dimension. We are over New Jersey.
Excellent point. Although other debates have questioned Microsoft's numbers, if there are really 20 million installs (plus further installs since then) in use out there, hackers might begin to take a look.
But to paraphrase the Drake equation, of the total Vista installs, how many have been hit by crackers? How many of those were honeypots, caught by virus scanners, or otherwise detected? How many exploits found by crackers have been used in highly targeted attacks and kept secret?
All I can think of is the remote TCP/IP exploit. As some of you may recall, that exploit existed in all versions of Windows. And Vista supposedly has a "completely rewritten TCP/IP stack" (source).
"I have a bad feeling about this."
Time for a game of /. Confession...
;-)
I've been using Vista x64 for about two months now on a Dell m1330 with 4GB of RAM. There's more NON-security bugs than I could shake a stick at. Bluetooth has multiple "Hi, I've stopped working and you're screwed till a reboot" bugs, and they seem largely related to a bigger bug Vista has in failing to handle shutting drivers down when suspending in such a way that they wake up when you wake up the laptop. So it occasionally affects LAN, Wifi, etc...
The interface has more glitches than I can count, Aero is TREMENDOUSLY slow compared to the usual 2D accelerated display (a disappointment since compiz is FASTER than 2D acceleration), and these are just the issues I can remember. I know I've hit more, but I can't recall them right now. I've not gone looking for security bugs, but I'd bed the only "security" part that's near bug free is the one that handles the DRM and anti-piracy functions. I've no doubt from the rest of the experience that the part that secures me and my data is full of holes.
I'm actually kinda worried what will pop up once they start getting more users on it after SP1 comes out. Good thing I never use IE, refuse to use Outlook, and never directly connect to the internet with Windows.
I think that is a silly measure of bugginess. Not only does the number of flaws reported being less reflect lower usage of Vista, it also likely says the the reporting system is difficult to work with. If anything, I think the fact that the non-Windows systems have a higher number of flaws reported indicates that they have easier-to-use bug reporting systems. The correct way to measure statistics on things like this is either to have a third party subject them to a standardized battery of tests (indicating actual security levels) or to measure the ratio of bugs fixed to total bugs reported (indicating the development team's ability to correct reported flaws quickly).
Tomato wedge sperm darts that are Republican.
How many of those were kernel patches, and how many were related to other applications?
Ignore this signature. By order.
Reminds me of a quote - "Statistics are like humans. Torture them enough and you can make them admit anything you want".
I'm much more funny, interesting and insightful than the moderators think
The report is available here, and states that the comparison specifically excludes components from Red Hat such as server components, gimp, OpenOffice, etc:
It'd be nice if it listed the exact components installed on Red Hat, but at least it attempts to cull the component set to something more reasonable for comparison.
I wasn't exactly expecting a flood of praise for Microsoft on slashdot, but you're completely spot on. Not one of the posts seems to be non-critical. We (as in, "people who know anything about computers") have been begging Microsoft to design their products with security in mind for a long long time now - rather than their usual practice of making grandiose statements about how security is job #1 and turning out the same old schlock as always.
With Vista, they actually seem to have done this. Even though they've added a lot of crap nobody wanted along with the crap that some people wanted, they've managed to do it without introducing loads of security problems. Remember, this is a mainstream product from a commercial software company where everything is subject to a cost/benefit analysis.
So it seems that the cost/benefit analysis has actually come down in favour of writing safer code even though it probably takes longer. This is great news for everybody who has to, in one way or another, deal with the problems caused by exploited PCs.
And that 1 flaw was actually putting Vista on the market.
From Jeff Jones' report:
Q: Linux distros contain many more optional applications than Windows - that is Apples and Oranges - how can any comparison be valid?
Actually, Windows Vista and Windows XP have different components too. Windows Vista Ultimate includes Media Center for example, which was not in Windows XP Professional. From a user perspective, I think it is Apples and Apples. Whichever OS is chosen, I believe most people will install the default set of components and use that. If vulnerabilities are in those components, they will be exposed and need to take mitigating action.
I did, however, try to even the playing field as much as possible by excluding optional Linux-distro components and excluding even some default components for which there is no obvious counterpart. In contrast, on the Windows analysis, I included any component that shipped with the product. I think the comparison is valid and useful.
From my basic CentOS 4 system:
$ rpm -q -a | wc -l
1104
Even on a (stupid) vulnerability count, even with a reduced package setup, the number of packages on a RHEL/CentOS system dwarfs the number of programs that come with Windows. You can't even compare against Jeff's Windows numbers because he looks into how critical each vulnerability is on Windows (good) but not on any Linux setup (bad). If the real concern is user exposure, then vulnerabilities in all packages makes sense, but only if you count vulnerabilities in common Windows packages to, like Acrobat Reader, Photoshop, Office, and even games like WoW.
My biggest beef is that Jeff fails to include his compiled vulnerability database. Even though he writes on his methodology and sources, there is no way to easily verify his claims. This is the 21st century and there's something called the Internet. There's no excuse to not provide the raw data, and I certainly don't have enough interest to make guesses and recreate the data for such a flawed analysis anyway.
Next time at least provide a list of analyzed RPMs and DEBs!
That's not a fix, that's workaround. The functionality remains broken, no?
Also note, that (somewhat hypocritically) all versions of Windows prior to Vista borrow quite a bit of their networking code from BSD.
Go grep the executables. You'll find the standard BSD copyright notice inside.
-- If you try to fail and succeed, which have you done? - Uli's moose
Backwards compatibility going out the window is actually a good thing...
Microsoft never had a proper overall design for windows, and it shows... Early versions were simply hacked together in completely haphazard ways, things were built quickly with no forethought. As a consequence, there is lots of kludgy legacy code kept around for backwards compatibility, including many duplications where an old method was considered fundamentally flawed and unfixable, and discouraged from being used by new apps, but is still kept round for backwards compatibility, one such example is the lanman password hashing.
If they completely ditch backwards compatibility, they could remove all this old cruft and start again with a proper clean design, but as usual they're taking a half-assed poorly thought out approach.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
And McDonalds claim they make nutritious healthy food...
This contrasts significantly with the majority Windows user base, most people are first greeted by Windows because their computer came with it pre-installed.. They generally don't know much about programming and certainly aren't responsible for programming the operating system they're using. They buy software which they learn just well enough to get by; But there are also many Windows users who are quite savvy.. and many of those have downgraded to the arguably more suitable Windows XP OS.
So even though Microsoft can easily cook the numbers. Let's look at a few more realities. In the world of open source, there is no hiding your vulnerability tally - because everyone sees the code and can check it. There is no such thing as the creative multiple patching of entire subsystems which are counted as a sole vulnerability. Which is very easy to do when you hide your source code from the public.
Microsoft is a company who has a real marketing benefit for showing (read: or pretending) that the overall number of vulnerabilities is lower over the first year. When this creative-counting is already under scrutiny, as there is no held standard for counting vulnerabilities and there is especially no transparency in how Microsoft validate what is a serious vulnerability and what is not.
Now since Windows recycles so much code, you can also argue that of course Vista would have less vulnerabilities than XP, after all the entry-level security bugs should all be caught by now, with only newer features having the baptism of fire. This is why userbase makes a difference.
Also webhit tallies from a particular research service provider are useless, as linux machines tend to power the web - and not surf it. (When you're powering a website, e.g. banking, you are more concerned about vulnerabilities than say a mother who just bought her family a computer. So in this example - coders are actively looking for bugs, go figure they find more - that's what happens when you look for something.)
Finally slashdotters do argue that exploits are targetted at larger OS market shares (naturally they want the largest possible penetration.) They don't however say that the bug count is similarly controlled: Bugs found = number of unfound bugs * proficiency of the people looking for them.
Also your figures for computer adoption are incorrectly used. (as was most of your data - you tend to convey more from the data than what it factually states.)
Genesis 1:32 And God typed