Since published my Windows Vista - 90 Day Vulnerability Report, I have been reading a lot of the various commentary and generally, I take it with a grain of salt.  Many of the comments indicate that the person didn't even read the report, which is fairly typical, while others bash it without raising any substantive proofpoint, simply because of where I work - again, pretty typical.  Anyway, there have been some interesting ones from security reporters that I thought might be fun to review.

Podcast by Joris Evers and Robert Vamosi. ( Download mp3 )

This one is a fun one, go listen to it and give the some hits/traffic.   First, they have the theory that I'm in a Microsoft conspiracy, whereby Microsoft actively held back fixing some Vista issues in March to help my report.  NEWFLASH:  March wasn't in the 90 day period!  Evers and Vamosi are eagerly waiting to see if there are a bunch of Vista vulns fixed in April, thus "proving" their theory...  Next, one of them calls the report a case of me "lying with statistics."  I'm eagerly awaiting the alternate non-lying point of view that they're no doubt working on to back that up.  And finally, the coup de grace, where they point out that other systems can be more secure if one attacks them!  Good insight that, my Mom uses a similar theory in keeping her car door unlocked - she'd rather they just take the stuff without breaking a window that would have to be fixed and raise insurance rates.  I can see how a risk management process might use that ... hmmm, okay there's nothing on this system of value to protect, so let's go with the system that has the most vulnerabilities, adn make it easier for attackers to find out we have nothing they want...

Vista Security by the Numbers by Joe Wilcox.

Now, those of you who read Joe's article might be confused, as I initially was.  Joe "falls into the trap" of assuming that security alerts and vulnerabilities are the essentially the same thing.  Here is a tip - vulnerabilities and alerts/advisories/bulletins generally can not be used as proxies for each other.  Some bulletins address 1 vulnerability in 1 product, while others might address 14 vulnerabilities that apply to 4 different products in various permutations (e.g. maybe only 4 apply to WS2003).  Additionally, severities may be different depending on the product.  Tip#2 - this is true for Microsoft and for other vendors, including everyone in the 90 day report.  Joe uses "alerts" and "vulnerabilities" interchangeably, so it is easy to understand why counting might be a challenge.

For example, his count of vulnerabilities for WS2003 is 20 in the first 11 months - my own count is 32 vulnerabilities.  I can't reconcile it.  Similarly, he talks about NT Server 4 vulns, but doesn't seem to consider that there was no MSRC or Microsoft security response process until about 2 years after NT4 shipped - could that affect numbers of alerts, do you think?

A few other mistakes Joe makes that I want to point out (only in the interest of setting the record straight, of course).  Joe says "The Vista information doesn't reflect components Microsoft considers to be part of the operating system. Alerts mentioning Internet Explorer 7 number about two dozen during Jones' 90-day period."  I beg your pardon, but I certainly counted IE7 vulnerabilities that were applicable to Windows Vista and all other product components that ship with Vista.  He is right that I don't count ones in 3rd-party applications ... but does anyone think that coding errors made my 3rd parties reflect on Vista security quality?

Joe's big point is that there were more disclosures in March that didn't get counted.  I'm good with that - after all, I said this was an early indicator that security quality was better ... and it is.  We're already past 120 days now and quickly coming up on 6 months - which will include those March disclosures - and I am confident that the 6 month view will show improvement as well with respect to previous and contemporary products.

Before I close, I want to give a tip of the hat to the folks who create headlines for making me laugh.  Take a look:

PC World - Microsoft Gives Vista Security an A-Plus

Microsoft security report card: passing grade for Vista

MSFN - Microsoft: Vista Safer than OS X, Linux

Microsoft Gives Windows Vista Security a Thumbs-Up

Microsoft: Vista more secure than Mac OS X

Now those are some impressive headlines.  How many of you clicked on them just out of curiosity?  An A-Plus?  Wow, that is arrogant.  Passing grade, hmm, somewhat more circumspect.  "Safer" ?  "Thumbs-up"?  "More secure" ?  Wow!  Only one thing ... I don't think anyone at Microsoft said that - certainly not me.  What did I say?  Oh yes,

"The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor and a significantly better profile relative to comparable modern competitive operating systems. "

and of course this provocative comment

"As an early and tentative indicator, this is good news for Windows Vista security, but keep in mind that it is early days yet, and we should have a more informative view after we pass the 6-month and 1-year milestones."

But, then, I guess "early and tentative indicator" doesn't make for an exciting headline ... ;-0

Best regards ~ Jeff