The Microsoft TechNet Australia Blog

Info straight from the Microsoft Tech Audience team in Australia, Yes we are real Microsoft people and we love geeks!

Vista 6 month vulnerability report - better than XP?

Vista 6 month vulnerability report - better than XP?

  • Comments 173
  • Likes
Good report at Jeff Jones blog

For those that only want the executive summary, here is a key chart that shows the publicly disclosed High severity vulnerabilities during the first 90 days of availability, broken down by vulns fixed and vulns unfixed.  Note that this chart is showing the reduced Linux builds that exclude non-default and optional components without equivalents on WIndows.  (clicking the chart also gets you to the full report.)
High Severity Vulns, Fixed and Unfixed in First 6 Months of Windows, Red Hat, Novell SUSE, Ubuntu, Apple Mac

  • Really good actually - see this article on the Australian Technet Blog : More info on Jeff Jones'

  • What? RHEL had more exploits than Windows Vista or XP...combined?  This chart is unbiased on so many levels its not funny.

    What contributes an "vulnrability" as such?  For example, the majority of exploits found in Linux based operating systems allow certain local users to be able to attain "root", or Administrator, on the local PC.

    However, with XP or Vista, its an entirely different story.  I flick through the KB database and all I see is "Buffer overflow in XYZ may allow remote code execution" or "may allow a remote hacker to compromise your computer" or EVEN "may allow a remote hacker to gain COMPLETE CONTROL over your computer".

    I for one remember the RPC exploit which allowed anybody (Provided they were pre-sp2) to gain command line on the remote computer.  This was a serious security breach.

    I've never seen something this serious on any of my linux based machines.

    My resident linux installation (dual boots with XP and Vista) is Ubuntu 7.xx.  If I disable the firewall on my XP machine, and enable the DMZ through to my computer, then I can expect that my computer will be screwed in a matter of minutes.

    If I do the same in my Ubuntu install, nothing happens.  Same security, nothing gets in without my approval.

    Furthermore, what exactly is exploitable?  The base system?  Or the optional packages that are bundled with most Linux distributions?  For it to be a truely fair test, the vulnerbilities should only exist in the main kernel and perhaps the utils packaged with the distro, which i suspect is not the case.

    At any rate, if Vista and XP were to "lose" in this chart, then I'm sure it wouldn't be posted on this site:P.

  • Ah damn double post, delete the first one.

  • Um I think you mean biased not "unbiased". Unbiased would mean not-biased (if it was a real word). Also the heading does indeed state: "Linux builds that exclude non-default and optional components without equivalents on Windows", so generally it doesn't include optional packages.

    The fact is, most Windows vulnerabilities get patched before a real world exploit is written so your comments about the KB database are unwarranted.

    Also, since when are root kit exploits not serious? There is no real line between local and remote users in Linux, I never log in locally (in the sense of physically) to my Linux machine at home. Out of all the servers I've run, my Linux machine at home is the only machine I've had compromised. I admit it was indeed my own fault for not ensuring it was fully patched. Generally, these days it doesn't matter which OS you run (Windows, Linux, Unix, Mac OS...) as long as you keep up to date you'll be safe.

  • id  be interested to see how many of the patches for winxp were actually for ie.

    winxp had ie embedded and most security flaws i would guess are actually ie exploits. if vista had come out back when ie was int he same stage of development (ie less mature than now) it would have had the same problems.

    face it, embedding a non standards compliant buggy and exploitable browser in an os is just asking for exploits to be written for it.

    comparing vista to xp is like comparing my new car with the previous model. of course they worked out most of the bugs this time round - thats why its is a new model.

    the only fair comparison would be to add all the exploits from windows 95 on and include windows 2000 as well as vista is simply the sum of all those os plus a few million extra lines of code.

    linux is inherently more secure for a completely different reason - the fact that its open source and has a large developer community around its transparent kernel code. as long as windows bloated code remains locked away the exploits will continue. no one at msft can possibly understand it all.

    all that said i mostly agree with alan in that the modern os manufacturer is exploit aware and readily provide patches. however "safe" is a fairly loose concept - maybe a vista user is just just less likely to get shot down in flames than a win 98 pc (still a lot of them out there!)






  • If you want do delete your site from our spam bases - just email us with domain of your site:

    thank you!

  • [*map/map_all_ag2.txt||10||r||1|| @]

  • <a href= >passiflora 5 lobed leave </a>

  • [*map/map_all_coml11.txt||10||r||1|| @]

  • [*map/map_all_coml10.txt||10||r||1|| @]

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment