Report: Vista more secure than OS X and Linux
By Thomas Ricker 
posted June 22nd 2007 7:58AM
posted June 22nd 2007 7:58AM
[Via vnunet]
Read -- 6 Month Vulnerability Report [warning: PDF]
Read -- JJ's blog entry
posted June 22nd 2007 7:58AM
A look back on popular stories from today in a specific year.
Now that we've thrown 'em off the trail, use the form below to get in touch with the people at Engadget. Please fill in all of the required fields because they're required.
The fact that he has XP so low might also raise a few flags...
Well, that and the low adoption rate of Vista.
Let the flames begin.
Isn't it also funny that they profile the distributions that won't sign the "protection agreement"...
I'm not sure this proves anything except how quickly OSes are adopted in the first six months. Windows OSes have the lowest number of exploits because fewer people are finding exploits due to low adoption rates. Next highest is Apple. And most apple users wait until a new machine to get the latest OS. Then Ubuntu, which is free to all. Then SLED and Red Hat which are used for servers, meaning both buying the upgrade AND finding exploits are high priorities. I'd like to see this data over a two year period, which the statistics on exploits broken down into three month increments.
That's the great thing about statistics...you can make them say whatever you want...
This is misleading. The Linux OSes include a whole host of software which are also being counted here, hence giving them such big bars, whilst Windows and OS X are jus operating systems without the exta software.
If we were to compare apples with apples, and not include software included with Linux which does more than a basic Windows/OS X install, then we'll find the Linux bars shrink dramatically.
Lies, damn lies, and statistics.
You are mistaken, OS X also includes several open source packages which are included in the count, like Apache, PHP, phyton, etc.
If you actually bothered to read the report you will notice he actually also reports on the linux distributions minus all the pre-loaded software that doesn't have a Windows equivilent in the base install.
Of course, lets not accuse engaget of using the graph they did just to be sensationalistic? :)
So the real lesson is to only release patches once a month regardless of need :)
I'm sorry–Vista is more secure becuse it patched more vulnerabilities? Doesn't that logic assume the same number of vulnerabilities across all the operating systems? Look at the chart. Vista has done more work because they've had more work to do. Its like saying we make the best product because out complaint line is th busiest.
Chart Reading 101: The total height of the bars in this graph indicates the number of vulnerablities found. The height if the blue section of each bar indicates the number of vulnerabilities that have already been fixed. How you interpret the data is completely up to you, but there are several ways to look at it, none of which include Vista having more vulnerabilities.
First, you could look at the chart and see that, across the board, Vista has had the least amount of vulnerabilities discovered. You could take that and say that a) Vista is the most secure, with the least number of vulnerabilities OR b) Nobody is using Vista, so they're just not finding the vulnerabilities yet.
Or you could look at the chart and notice that XP has the least amount of unfixed vulnerabilities, and low number found. You could use this to say that XP is the most secure - or that MS is spending a lot more time working on XP than Vista.
Or you could look at the chart and notice that although Vista has the lowest number of vulnerabilities found, it also has the lowest fix percentage. So you could assume that either working on Vista is a real pain, and bug fixing is going to be a real problem or that Vista isn't being improved very much right now.
And of course, the chart gives minimal detail on anything, including vulnerability severity, so you an also say that it means nothing at all.
Charts are fun!
check the read link for high severity problems....
It sounds like non-Windows operating systems have more security flaws, but nobody exploits them. Probably because the Windows install-base is overwhelmingly large.
In other news...no report will make anyone happy
News ticker
*flamebait is in full force....man acuses dog of murder...*
i believe the vista part thanks to uac and ie7 protected mode and things like that, but the fact that he has xp rated so well, disturbs me.
"it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion"
Yep. But can anyone find any non-biased security info? There's no exact benchmark to measure security across OSs, and this graph bears arguing which is more important - MS's ability to patch and safeguard better and faster than Linux, or Linux's ability to not have its vulnerabilities attacked by every hacker on the planet.
The actual virus/attack rate of each system graphed out would be the opposite of what's above - but that isn't any more accurate.
"MS's ability to patch and safeguard better and faster than Linux"
Heh. Thanks I needed a laugh this morning.
"MS's ability to patch and safeguard better and faster than Linux"
Which is why that chart still lists ~50% of Vista's bugs as unfixed. Given the low number of bugs (at least according to the chart) that would tell me that Linux builds are quicker to fix these bugs..
The title of this story should read "Microsoft Report: Vista more secure than OS X and Linux" ;)
Can someone grab me a copy of Windows XP: Jeff Jones edition? It looks much better than the public builds.
Here's my statistics:
Number of active exploits affecting users out in the wild:
XP: 100s of thousands
Vista: 100s of thousands
OS X: 0
Linux (any): 0
Seriously... I was expecting more from Vista. When I look at critical security fixes from Microsoft, and read the accompanying advisory page, it almost always says "IE7, Win XP AND Vista". So where's that added security when most new exploits work on Vista just as well as on XP?
All that chart tells me is that Vista has the lowest number of fixed vulnerabilities, and that it has the lowest number of disclosed vulnerabilities, and that we all know what Microsoft is like for keeping vulnerabilities UNdisclosed.
Exactly what I was thinking. Open Source OS's disclose all vulnerabilities, hence the larger bars for the Linuxes.
That was the first thing I thought when I saw this chart :D
MUHAHAHAHAHAHAHAHAHAHAHAHAHAHAHA! you guys at Engadget are so FUNNY!
Is it possible to find an unbiased opinion? It doesn't seem to do much for MS when every one of these "surprise" reports has breadcrumbs leading back to them.
ok, I'm a dork. I reacted to the headline and posted without examining the labels at the bottom. please ignore my rantings.
At least you can admit it. Dork.
"Vista more secure than OS X and Linux"
Allow me to redo the title of this article:
Vista more secure than OS X and Linux?
Well, damn! I just don't understand anything anymore! If everyone is patent infringing on Microsoft, wouldn't the amount of vulnerabilities be the same?!
You gotta love ditch efforts to sway user opinion!
April fools was, um, in April.
So I guess this is just a fool's joke, which is exactly what we are if we take this at face value.
"Of course, it's worth noting that Jeff is a member of Microsoft's Security business unit which will probably sway your opinion as to the integrity of the data."
Shouldn't that disqualify this report and cause the writer to burn in his patched infested activation hell?
In other news:
Budweiser employed beer specialist claims Budweiser is better than Coors or Corona.. White paper forthcoming.
90% of the world uses PC, Vista, XP, windows 2000. of course they are going to have alot more attackers! someone is going to sit around for days trying to make a hack for all 10 linux users LOL!!
Apple had to pay some hacker $10,000 because he was able to hack into the all powerful gift from god OSX, there was a contest from Apple daring people to try to hack it. thats why you guys have to pay $500 for an iPhone! lol. I also read a report that said the same thing a few weeks ago. look at safari for pc, it only took hours before someone hacked the piece of garbage. see what happens when apple try's to play with the big boys, they get sent back home with there tails between there legs! lol. don't get me wrong I like apple too, I have a MAC as well as a PC at home. so don't think I'm all PC!!
Then I'm sure you know the Safari vulnerabilities were fixed mere hours after the release. It's also worth mentioning that Safari 3 is a *Public Beta* ... *BETA*.
I'm not quite sure what you're talking about with the iPhone, but I'm not so sure you know either.
So much mis-information and distortions in one post.
It was not Apple that offered the reward which was $10,000 (Canadian $s) plus the target MacBook Pro. It was the sponsors of the CanSecWest conference.
The exploit that was utilized to compromise the MacBook Pro was an exploit of a vulnerability in Java that impacts all Java capable browsers, not just Macs. In addition, the contest was won only after the sponsors lowered the bar and a contest referee navigated the MacBook Pro's browser to a pre-configured website and clicked on a link placed there by the hacker. The Java script linked to gained the hacker user level access to the MacBook but not Root. The contest to achieve root level, another MacBook Pro laptop, went unclaimed.
By the way, I do not believe you own a MAC (sic).
your Right I don't own a mac, I own 2 Ibook and and a g5, I work in the advertising biz, I need them.
Apple had to make Safari for Windows flawed or it wouldn't have fit in with the Windows OS or any of the other programs : )
Um.... if this is true, it's probably due to the fact that the report only looks 6 months out. Look out longer than that, and I'm sure you'll see an enormous spike for XP... and the same will likely happen for Vista.
You should note that this graph only covers the FIRST SIX MONTHS of vulnerabilities in these OS-s. This is either a example of cherry-picking data in favor of Vista or an interesting (but theoretically valid) way of evaluating security.
I mean, how would you compare the security of OS's which have been out for different periods of time? If you only compared TOTAL number of exploits without normalizing for time (as they KIND OF are doing here).
For instance, if you assume that vulnerabilities are found at a linear (or near linear) rate and the that the total number of possible exploits is significantly larger than what has been found, then it makes sense to only compare the first six months (As they did here).
What would be nice though would be a real normalized comparison. Compare for instance RATE OF DISCOVERY normalized against instantaneous number of users or some such.
It's sorta hard to report on 12 monthly figures for an OS that has only been out 6 months, hmm?
Exactly. I'd like to see the statistics of amount of damage (in dollars and cents) caused by OS vulnerabilities. That would make some interesting comparisons.
MS just screws around with statistics. Balmer said recently that the Zune had 20 or 25 per cent market share! Adding, as an aside that this was in the hard disk category. Then a few weeks ago, some MS shill wrote that MS had smashed through their sales target of selling a million Zunes in a year - when they hadn't - and still haven't.
John Davis
Yeah, but you can't really fault them for that. They are a business and all businesses lie or overstate the success or capabilities of their products. I mean, look at Apple, they downright lie not only about their own products but about the products at others. Did you see the PC guy/Mac guy commercial where they implied that PC's can't connect to a digicam that a Mac can? Tell me what camera will connect to a Mac but not a PC. Or when they said that Mac's don't have any preloaded crapware (which they do)? Not to mention the incredible hyperbole they always employ.
But like I said, I can't fault a business for doing anything they can get away with to sell their product, I wouldn't invest in one that didn't.
If only Microsoft used attack ads, it seems they are above that.
Bill has been daring people to hack vista since the beta came out, you know for a fact the hatters at engadget would post the day someone does it. so far nothing.
Should also note that many of the "XP vulnerabilities" you're thinking of were actually OUTLOOK or INTERNET EXPLORER vulnerabilities and not failures of the OS itself.
According to "Mr. JJ" himself he included all applications bundled with the operating system. (Which is a tad unfair to Linux builds since they now include a lot of software...)
Yeah, I would see including other apps would invalidate this study. Anyone could install netbus on their computer, doesn't mean any OS is unstable.
Internet Explorer is PART of XP. It is actually used by the OS for navigation, not just web browsing.
Microsoft says Vista/XP are the most secure?
And I'm the coolest person in the world.
can I get your autograph fonzy??
Only if let you me infiltrate your security holes
LOL!! nice try. if you can find one sure. by then you'll be to old to be cool anway so never mind LOL!!