Microsoft better at patching XP than Vista?
Data revealed by company, but interpretations are differing
IDG News Service - A Microsoft Corp. security executive released data Thursday showing that, six months after shipping Windows Vista, his company has left more publicly disclosed Vista bugs unpatched than it did with Windows XP.
In total, Microsoft has patched 12 out of 27 disclosed Vista vulnerabilities in the six months after it first shipped last November. During XP's first six months, Microsoft's security team patched 36 out of 39 known bugs.
The data was published by Jeff Jones, a Microsoft security strategy director, who said that overall, Vista was doing better than XP. "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to its predecessor product, Windows XP," he wrote.
Jones didn't address the larger number of unpatched vulnerabilities, but he did note most of the unpatched Vista bugs were not critical. Microsoft had left only one high-severity Vista vulnerability unpatched during the period. At the end of XP's first six months, there were two high-severity bugs that were unpatched.
Microsoft patched 23 high-severity XP bugs during its first six months, compared with only one high-severity Vista flaw.
Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.
He published the data in an effort to show how Microsoft's software development methodology, called the Security Development Lifecycle (SDL), is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.
"This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. "If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don't actually write the majority of the packages they include," he said via e-mail.
"Alternatively, force Microsoft to include all vulnerabilities in common third-party software," he added. "For example, the thousands of exploitable ActiveX controls that... vendors include with a Windows system."
According to Randy Abrams, director of technical education with antivirus vendor Eset LLC, it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers.
But Microsoft has stepped up its security practices, he added. "I think their Security Development Lifecycle initiative has improved the quality of the code," he said.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts