Jeff Jones has released his Vista 1 Year Vulnerability Report to the masses now that Vista has been on the market for a full calendar year.
For those that have been following his releases, he has also performed these analyses at 90 days and 6 months. I hadn’t started this blog for the 90 day report, but you can find the 6-month take here.
Once again, Jeff has covered the numbers of each corresponding OS regarding patches, vulnerabilities, patch cycles, etc. in this report as he did previously. For those that are quick to jump on his title of Security Strategy Director in Microsoft’s Trustworthy Computing group, take this into account.
Is there anything in this analysis which will prove one piece of software is “more secure” than another? No, that is not my intention. This report is a vulnerability analysis, which may provide some elements that could be part of a broader security analysis. I fundamentally believe that security and non-security features need to be built upon a foundation of good engineering and solid security quality if they are to perform as we expect and not be misused to the detriment of security.
As you can see from the graphs below, taken from his report which is downloadable on his blog post, Vista has had an excellent track record compared to it’s predecessor, Windows XP, as well as competing products RHEL 4 (RHEL 5 has not been on the market for 1 year), OS X 10.4 (Leopard again, less than 1 year), and Ubuntu 6.06.
Now, before anyone jumps on the fact that the Linux variants install components not related to the OS security itself (Open Office, dev tools, etc.) which open up other security risks, Jeff has taken those out of his analysis.
I think it’s fairly safe to say that Microsoft has taken their Security model to a whole different level than previous incarnations of their OS, and any security expert, regardless of OS preference should be happy with the reduced threats in Vista.
Of course, some Apple supporters have now subscribed to the mindset that Vista isn’t widely used and therefore subjected to less attacks. Hypocritical much?
Several of my clients, all Small Businesses, have started to inquire when they would be able to move to Vista now that they have been using it at home for a few months and are wanting to budget in upgrade costs for the OS move. Unfortunately, most run LOB apps that aren’t compatible with Vista just yet, and one that has moved to online versions of their LOB app has moved to Vista. Eventually, 3rd part vendors will get there! This lends support to the notion that SMB’s are deploying Vista faster than their big brethren. Once SP1 is released, and the verdict is out, we should be seeing Vista numbers start to rise yet again, making things more secure overall.
Thoughts?!
Tags: Microsoft Vista Security 1 Year Vulnerability Report XP Ubuntu Red Hat Patch Vulnerability Linux Apple
