Attention Linux, Vista, and Apple fan boys: put on your gloves... it's time to rumble! A 6-month vulnerability report issued by Jeff "Security Guy" Jones has caught the eye of Redmond and the ire of places beyond. The report which bases its security assessment upon vulnerabilities found (not
actually exploited) claims that Vista is "more secure than OS X and Linux." In fact, the much maligned XP even crushes the competition using their calculations. Of course, it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion as to the integrity of the data. Still, as incomplete as the assessment may be, it certainly appears to be a good showing for Vista considering the vast community of hackers attempting to thwart its security. We can predict what
Billy G's probably saying right about now: Dy-no-mite JJ!
[Via
vnunet]
Read -- 6 Month Vulnerability Report [warning: PDF]
Read -- JJ's blog entry
posted Jun 22nd 2007 at 7:58AM
Reader Comments (Page 1 of 2)
Andir3.0 @ Jun 22nd 2007 8:02AM
The fact that he has XP so low might also raise a few flags...
Well, that and the low adoption rate of Vista.
Let the flames begin.
Andir3.0 @ Jun 22nd 2007 8:26AM
Isn't it also funny that they profile the distributions that won't sign the "protection agreement"...
arthur barnhouse @ Jun 22nd 2007 9:28AM
I'm not sure this proves anything except how quickly OSes are adopted in the first six months. Windows OSes have the lowest number of exploits because fewer people are finding exploits due to low adoption rates. Next highest is Apple. And most apple users wait until a new machine to get the latest OS. Then Ubuntu, which is free to all. Then SLED and Red Hat which are used for servers, meaning both buying the upgrade AND finding exploits are high priorities. I'd like to see this data over a two year period, which the statistics on exploits broken down into three month increments.
Mike @ Jun 22nd 2007 10:14AM
That's the great thing about statistics...you can make them say whatever you want...
Jake @ Jun 22nd 2007 8:11AM
This is misleading. The Linux OSes include a whole host of software which are also being counted here, hence giving them such big bars, whilst Windows and OS X are jus operating systems without the exta software.
If we were to compare apples with apples, and not include software included with Linux which does more than a basic Windows/OS X install, then we'll find the Linux bars shrink dramatically.
Lies, damn lies, and statistics.
Ignacio @ Jun 22nd 2007 9:27AM
You are mistaken, OS X also includes several open source packages which are included in the count, like Apache, PHP, phyton, etc.
Mark A @ Jun 22nd 2007 1:01PM
If you actually bothered to read the report you will notice he actually also reports on the linux distributions minus all the pre-loaded software that doesn't have a Windows equivilent in the base install.
Of course, lets not accuse engaget of using the graph they did just to be sensationalistic? :)
Judson @ Jun 25th 2007 9:04AM
So the real lesson is to only release patches once a month regardless of need :)
jonbruck @ Jun 22nd 2007 8:12AM
I'm sorry–Vista is more secure becuse it patched more vulnerabilities? Doesn't that logic assume the same number of vulnerabilities across all the operating systems? Look at the chart. Vista has done more work because they've had more work to do. Its like saying we make the best product because out complaint line is th busiest.
Jason Smith @ Jun 22nd 2007 8:34AM
Chart Reading 101: The total height of the bars in this graph indicates the number of vulnerablities found. The height if the blue section of each bar indicates the number of vulnerabilities that have already been fixed. How you interpret the data is completely up to you, but there are several ways to look at it, none of which include Vista having more vulnerabilities.
First, you could look at the chart and see that, across the board, Vista has had the least amount of vulnerabilities discovered. You could take that and say that a) Vista is the most secure, with the least number of vulnerabilities OR b) Nobody is using Vista, so they're just not finding the vulnerabilities yet.
Or you could look at the chart and notice that XP has the least amount of unfixed vulnerabilities, and low number found. You could use this to say that XP is the most secure - or that MS is spending a lot more time working on XP than Vista.
Or you could look at the chart and notice that although Vista has the lowest number of vulnerabilities found, it also has the lowest fix percentage. So you could assume that either working on Vista is a real pain, and bug fixing is going to be a real problem or that Vista isn't being improved very much right now.
And of course, the chart gives minimal detail on anything, including vulnerability severity, so you an also say that it means nothing at all.
Charts are fun!
Bob Delani @ Jun 22nd 2007 10:29AM
check the read link for high severity problems....
Kamalot @ Jun 22nd 2007 8:20AM
It sounds like non-Windows operating systems have more security flaws, but nobody exploits them. Probably because the Windows install-base is overwhelmingly large.
brad @ Jun 22nd 2007 8:21AM
In other news...no report will make anyone happy
News ticker
*flamebait is in full force....man acuses dog of murder...*
a ham sandwich @ Jun 22nd 2007 8:25AM
i believe the vista part thanks to uac and ie7 protected mode and things like that, but the fact that he has xp rated so well, disturbs me.
CowboyGA @ Jun 22nd 2007 8:25AM
"it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion"
Yep. But can anyone find any non-biased security info? There's no exact benchmark to measure security across OSs, and this graph bears arguing which is more important - MS's ability to patch and safeguard better and faster than Linux, or Linux's ability to not have its vulnerabilities attacked by every hacker on the planet.
The actual virus/attack rate of each system graphed out would be the opposite of what's above - but that isn't any more accurate.
Justin @ Jun 22nd 2007 8:30AM
"MS's ability to patch and safeguard better and faster than Linux"
Heh. Thanks I needed a laugh this morning.
Andir3.0 @ Jun 22nd 2007 8:48AM
"MS's ability to patch and safeguard better and faster than Linux"
Which is why that chart still lists ~50% of Vista's bugs as unfixed. Given the low number of bugs (at least according to the chart) that would tell me that Linux builds are quicker to fix these bugs..
Chris @ Jun 22nd 2007 8:54AM
The title of this story should read "Microsoft Report: Vista more secure than OS X and Linux" ;)
Danny @ Jun 22nd 2007 8:38AM
Can someone grab me a copy of Windows XP: Jeff Jones edition? It looks much better than the public builds.
nikster @ Jun 22nd 2007 8:41AM
Here's my statistics:
Number of active exploits affecting users out in the wild:
XP: 100s of thousands
Vista: 100s of thousands
OS X: 0
Linux (any): 0
Seriously... I was expecting more from Vista. When I look at critical security fixes from Microsoft, and read the accompanying advisory page, it almost always says "IE7, Win XP AND Vista". So where's that added security when most new exploits work on Vista just as well as on XP?
David @ Jun 22nd 2007 8:50AM
All that chart tells me is that Vista has the lowest number of fixed vulnerabilities, and that it has the lowest number of disclosed vulnerabilities, and that we all know what Microsoft is like for keeping vulnerabilities UNdisclosed.
ajneil @ Jun 22nd 2007 1:10PM
Exactly what I was thinking. Open Source OS's disclose all vulnerabilities, hence the larger bars for the Linuxes.
dom.rout @ Jun 22nd 2007 2:02PM
That was the first thing I thought when I saw this chart :D
AlexBH @ Jun 22nd 2007 8:51AM
MUHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA! you guys at Engadget are so FUNNY!
G @ Jun 22nd 2007 8:52AM
Is it possible to find an unbiased opinion? It doesn't seem to do much for MS when every one of these "surprise" reports has breadcrumbs leading back to them.
jonbruck @ Jun 22nd 2007 8:55AM
ok, I'm a dork. I reacted to the headline and posted without examining the labels at the bottom. please ignore my rantings.
MDB @ Jun 22nd 2007 9:20AM
At least you can admit it. Dork.
brendan Sheehan jnr @ Jun 22nd 2007 8:55AM
"Vista more secure than OS X and Linux"
Allow me to redo the title of this article:
Vista more secure than OS X and Linux?
Mike @ Jun 22nd 2007 8:58AM
Well, damn! I just don't understand anything anymore! If everyone is patent infringing on Microsoft, wouldn't the amount of vulnerabilities be the same?!
You gotta love ditch efforts to sway user opinion!
bondsbw @ Jun 22nd 2007 9:01AM
April fools was, um, in April.
So I guess this is just a fool's joke, which is exactly what we are if we take this at face value.
dudeInAmerica @ Jun 22nd 2007 9:02AM
"Of course, it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion as to the integrity of the data."
Shouldn't that disqualify this report and cause the writer to burn in his patched infested activation hell?
In other news:
Budweiser employed beer specialist claims Budweiser is better than Coors or Corona.. White paper forthcoming.
me @ Jun 22nd 2007 9:12AM
90% of the world uses PC, Vista, XP, windows 2000. of course they are going to have alot more attackers! someone is going to sit around for days trying to make a hack for all 10 linux users LOL!!
Apple had to pay some hacker $10,000 because he was able to hack into the all powerful gift from god OSX, there was a contest from Apple daring people to try to hack it. thats why you guys have to pay $500 for an iPhone! lol. I also read a report that said the same thing a few weeks ago. look at safari for pc, it only took hours before someone hacked the piece of garbage. see what happens when apple try's to play with the big boys, they get sent back home with there tails between there legs! lol. don't get me wrong I like apple too, I have a MAC as well as a PC at home. so don't think I'm all PC!!
Gianni @ Jun 22nd 2007 9:36AM
Then I'm sure you know the Safari vulnerabilities were fixed mere hours after the release. It's also worth mentioning that Safari 3 is a *Public Beta* ... *BETA*.
I'm not quite sure what you're talking about with the iPhone, but I'm not so sure you know either.
Swordmaker @ Jun 25th 2007 4:20AM
So much mis-information and distortions in one post.
It was not Apple that offered the reward which was $10,000 (Canadian $s) plus the target MacBook Pro. It was the sponsors of the CanSecWest conference.
The exploit that was utilized to compromise the MacBook Pro was an exploit of a vulnerability in Java that impacts all Java capable browsers, not just Macs. In addition, the contest was won only after the sponsors lowered the bar and a contest referee navigated the MacBook Pro's browser to a pre-configured website and clicked on a link placed there by the hacker. The Java script linked to gained the hacker user level access to the MacBook but not Root. The contest to achieve root level, another MacBook Pro laptop, went unclaimed.
By the way, I do not believe you own a MAC (sic).
me @ Jun 25th 2007 3:21PM
your Right I don't own a mac, I own 2 Ibook and and a g5, I work in the advertising biz, I need them.
xlt3zz @ Nov 18th 2007 12:23PM
Apple had to make Safari for Windows flawed or it wouldn't have fit in with the Windows OS or any of the other programs : )
kart @ Jun 22nd 2007 9:14AM
Um.... if this is true, it's probably due to the fact that the report only looks 6 months out. Look out longer than that, and I'm sure you'll see an enormous spike for XP... and the same will likely happen for Vista.
clayton.coffman @ Jun 22nd 2007 9:17AM
You should note that this graph only covers the FIRST SIX MONTHS of vulnerabilities in these OS-s. This is either a example of cherry-picking data in favor of Vista or an interesting (but theoretically valid) way of evaluating security.
I mean, how would you compare the security of OS's which have been out for different periods of time? If you only compared TOTAL number of exploits without normalizing for time (as they KIND OF are doing here).
For instance, if you assume that vulnerabilities are found at a linear (or near linear) rate and the that the total number of possible exploits is significantly larger than what has been found, then it makes sense to only compare the first six months (As they did here).
What would be nice though would be a real normalized comparison. Compare for instance RATE OF DISCOVERY normalized against instantaneous number of users or some such.
Mark A @ Jun 22nd 2007 11:58AM
It's sorta hard to report on 12 monthly figures for an OS that has only been out 6 months, hmm?
John Davis @ Jun 22nd 2007 8:36PM
Exactly. I'd like to see the statistics of amount of damage (in dollars and cents) caused by OS vulnerabilities. That would make some interesting comparisons.
MS just screws around with statistics. Balmer said recently that the Zune had 20 or 25 per cent market share! Adding, as an aside that this was in the hard disk category. Then a few weeks ago, some MS shill wrote that MS had smashed through their sales target of selling a million Zunes in a year - when they hadn't - and still haven't.
John Davis
clayton.coffman @ Jun 22nd 2007 9:03PM
Yeah, but you can't really fault them for that. They are a business and all businesses lie or overstate the success or capabilities of their products. I mean, look at Apple, they downright lie not only about their own products but about the products at others. Did you see the PC guy/Mac guy commercial where they implied that PC's can't connect to a digicam that a Mac can? Tell me what camera will connect to a Mac but not a PC. Or when they said that Mac's don't have any preloaded crapware (which they do)? Not to mention the incredible hyperbole they always employ.
But like I said, I can't fault a business for doing anything they can get away with to sell their product, I wouldn't invest in one that didn't.
If only Microsoft used attack ads, it seems they are above that.
Boris @ Jun 22nd 2007 9:15AM
Bill has been daring people to hack vista since the beta came out, you know for a fact the hatters at engadget would post the day someone does it. so far nothing.
clayton.coffman @ Jun 22nd 2007 9:17AM
Should also note that many of the "XP vulnerabilities" you're thinking of were actually OUTLOOK or INTERNET EXPLORER vulnerabilities and not failures of the OS itself.
Andir3.0 @ Jun 22nd 2007 10:10AM
According to "Mr. JJ" himself he included all applications bundled with the operating system. (Which is a tad unfair to Linux builds since they now include a lot of software...)
clayton.coffman @ Jun 22nd 2007 10:13AM
Yeah, I would see including other apps would invalidate this study. Anyone could install netbus on their computer, doesn't mean any OS is unstable.
ajgalli @ Jun 22nd 2007 11:23PM
Internet Explorer is PART of XP. It is actually used by the OS for navigation, not just web browsing.
MDB @ Jun 22nd 2007 9:21AM
Microsoft says Vista/XP are the most secure?
And I'm the coolest person in the world.
Boris @ Jun 22nd 2007 9:22AM
can I get your autograph fonzy??
MDB @ Jun 22nd 2007 9:26AM
Only if let you me infiltrate your security holes
Boris @ Jun 22nd 2007 9:46AM
LOL!! nice try. if you can find one sure. by then you'll be to old to be cool anway so never mind LOL!!