Monday, August 20, 2007

Microsoft Claims Vista Is More Secure Than Linux

In addition to comparing Vista to XP, Jeff Jones, director of Microsoft's Trustworthy Computing Group, compared Vista to Red Hat Enterprise Linux 4, which saw some 129 bugs during its first six months of availability. On the basis of these numbers, Jones concluded that Vista is more secure than its open-source counterpart.

According to Microsoft Relevant Products/Services's Trustworthy Computing Group, the software giant's latest operating system is far more secure than competing platforms -- or even previous Windows iterations.

"The Windows Vista Six-Month Day Vulnerability Report" offers insights into the total fixed and unfixed Vista vulnerabilities, plus a comparative view of Linux, OpenOffice, and other applications. The report is available as a PDF download on the blog of Jeff Jones, the security Relevant Products/Services strategy director in Microsoft's Trustworthy Computing Group.

"The results of the analysis show that Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six-month mark compared to its predecessor product Windows XP (which did not benefit from the SDL) and compared to other modern competitive workstation OSs (which also did not benefit from an SDL-like process)," Jones wrote.

The "SDL" Jones refers to is Microsoft's "secure development lifecycle," a software-development process Microsoft adopted for creating software that can withstand malicious attack.

Six Months and Counting

During Windows Vista's first six months on the market, Microsoft released four security updates to address 12 total vulnerabilities. In the National Vulnerability Database, the National Institute of Standards (NIST) rated 10 0f these issues as "high" severity, one as "medium," and one as "low."

There were also vulnerability disclosures during Windows Vista's first six months that have not yet been addressed by a fix. The NIST rated only one of them "high" severity, while four have been rated "medium" and 10 have been rated "low."

How does that compare with the first six months of Windows XP? When Windows XP shipped, there were already three Internet Explorer vulnerabilities, which had been disclosed and fixed three weeks prior to market distribution. Consequently, new users had to apply an IE patch immediately to address them.

In addition, Microsoft fixed a total of 36 vulnerabilities in the first six months Windows XP was available. The NIST rated 23 of those vulnerabilities "high" severity. At the end of the six-month period, a total of three publicly disclosed vulnerabilities did not yet have a patch available from Microsoft, two of which (CVE-2002-0189 and CVE-2002-0694) were rated "high" severity and one which was rated "low."

"With respect to its predecessor product, Windows Vista seems to have a better initial six months, with one-third as many vulnerabilities fixed and with Windows Vista having only one high-severity issue outstanding at the end of the six-month period," Jones noted.

Open-Source Comparison

In addition to comparing Vista to XP, Jones compared Vista to open-source operating systems. Red Hat Enterprise Linux 4, the most downloaded GNU/Linux distribution, saw 129 publicly disclosed bugs during its first six months of availability. Forty of them were ranked "high" severity. Red Hat fixed a total of 281 vulnerabilities in Red Hat Enterprise Linux 4 Workstation in the first six months, 86 of which were rated "high" severity. On the basis of these numbers, Jones concluded that Vista was more secure than its open-source counterpart.

The value of the Microsoft SDL has been demonstrated in the past with applications such as Microsoft's widely used Internet Information Services (IIS), which has suffered fewer critical vulnerabilities due to increased security controls, according to Michael Sutton, a security evangelist with SPI Dynamics and former director of the Verisign iDefense labs.

Still, Sutton said he is not ready to declare a winner in this long-standing security debate. "It is encouraging to see that thus far Vista has faced fewer critical vulnerabilities," he said. "However, six months is not a sufficient time frame to pass judgment on the overall security of the operating system."

Sutton also pointed out that Vista has introduced many fundamental changes and said it will take some time before researchers have spent adequate time testing the new operating system.