You might know Jeff Jones' work on the different vulnerability reports comparing different products and vendors. Our goal is to understand and measure our progress and see where we stand with regards to the industry.
Today, Jeff release his OS Desktop vulnerability report for H1 2008, which shows to me some interesting results.
One is if you look at the Days of Risk – say on average after disclosure how many days did it take a vendor to fix a vulnerability. He weighted them as well based on whether they are critical or important or low:
Secondly he shows the number of vulnerabilities of all the vendors he is looking at:
And last but definitely not least he compares the different OSs:
There is one other interesting finding: 25% of the vulnerabilities are shared by more than one vendor!
So, if you want to download the report, here you find Jeff's post: http://blogs.technet.com/security/archive/2008/10/28/download-h1-2008-desktop-vuln-report.aspx
The 25% shared stat is the most interesting for me. To be honest, in my opinion 90% of any OS's security problems sits behind the keyboard. Like most, Windows gives the user more than enough instruments to be save.
It is as so often, autumn is the time when all the big events are happening in EMEA. This week was RSA
In my last post , I briefly touched on different features of Windows Vista, which I think are important