Q1 2008 - Client OS Vulnerability Scorecard

Linkpost | 5.15.2008

TechBlog — Thu, 15 May 2008 15:10:53 GMT

• Windows Vista vs Windows XP SP2 Vulnerability Report 2007 -- In calendar year 2007, Vista was more secure than XP SP2 . . . according to this Microsoft employee. And, he says, it was generally more secure than other...

Q1 2008 - Client OS Vulnerability Scorecard

Global Security Watch — Thu, 15 May 2008 16:33:19 GMT

[Source: Jeff Jones Security Blog] quoted: This paper is a compilation of vulnerability data for client operating systems for the first 3 month, January through March, of 2008. Vulnerabilities and fixes for the following products are discussed:

Which was the most secure operating system in Q1 2008?

TechBlog — Thu, 15 May 2008 16:51:19 GMT

Apple's Mac OS X gets kudos for its security. At this writing, there are no significant exploits for its security holes, and Apple has a good track record of patching vulnerabilities in a timely manner. But that doesn't mean there...

Vulnérabilités des OS clients : Vista, XP SP2, Linux, Mac OS... et Windows 2000 dans tout ça ?

pascals.blog — Fri, 16 May 2008 16:45:16 GMT

Jeff Jones vient de publier deux papiers comparant pour le premier les vulnérabilités de Windows

re: Q1 2008 - Client OS Vulnerability Scorecard

James — Sun, 18 May 2008 11:16:49 GMT

You really should have done a better check on the Ubuntu one, 6.06 is old. The OS has upgraded to 7.10 and not too long ago release 8.08. Therefore, it is kind of like check the vulnerability rating of windows 2k

I numeri sulle vulnerabilità di Windows Vista? Ottimi ma noiosi... parliamo invece di Apple

Security Blog di Feliciano Intini — Mon, 19 May 2008 19:13:14 GMT

Jeff Jones ha pubblicato un nuovo breve paper di confronto delle vulnerabilità, questa volta focalizzato

re: Q1 2008 - Client OS Vulnerability Scorecard

JamesNT — Sat, 24 May 2008 18:03:32 GMT

@James

And just how old is Ubuntu 6.06? Is it as old as Windows 2000?

JamesNT

re: Q1 2008 - Client OS Vulnerability Scorecard

Ajit Gaddam — Wed, 28 May 2008 23:23:55 GMT

I did a more complete analysis and in depth analysis on year 2007 data including Windows Vista, Windows XP, Ubuntu, RedHat and MacOS X as a follow up to Jeff's full blown year 2007 vulnerability report.

However, as Jeff admits, this kind of first year analysis may be good to evaluate the security practices and product development methodologies of a vendor more than measure the security of an Operating system. This paper expands on his findings while following a similar structure used in Jeff’s report presenting a deeper level of analysis and comparison of the modern workstation Operating Systems using the entire 2007 vulnerability and days of risk data which would more accurately reflect the “present security state” of these different Operating Systems.

The results of my analysis based on the Vulnerability Count Metric and Days of Risk suggest that Windows Vista is the most secure Operating System when compared to the other leading Desktop Operating Systems for the year 2007 based on its lower vulnerability profile.

With the vulnerability and risk data available, I also wanted to tackle the topic of Browser security. The analysis reveals that Firefox 2.x on Ubuntu platform was the most secure browser for the year 2007 in terms of the lowest Days of Risk and vulnerability profile.

http://www.root777.com/computer-security/operating-systems-security-year-2007-vulnerability-report/

re: Q1 2008 - Client OS Vulnerability Scorecard

M SHARON — Wed, 18 Jun 2008 01:52:10 GMT

WHO CARES IF YOU HAVE THE GREATEST SECURITY IN THE WHOLE WORLD IF YOU CAN'T USED IT ON LINE YOU YOU HAVE NO SECURITY ISSUES ANYWAY. I AM HATING VISTA!! IT BLOCKS EVERYTHING --NOW V-FIOS, & MY YAHOO, B4--ADOBE CS3 RESOLVE ONE ISSUE TO HAVE ANOTHER. I WILL NEVER HAVE A PC AGAIN -- APPLE HERE I COME WILL SOON START WITH 5 IN THE OFFICE -- IT IS VERY SAD THAT A BIG COMPANY LIKE BILL GATES & MICROSOFT CANNOT PUT OUT A PRODUCT THAT IS PRE TESTED AND WORKS. i AM VERY FRUSTRATED AND ANGRY. ONCE YOU BUY INTO vISTA I GUESS THERE IS NO GOING BACK YOU ARE STUCK. tHAT IS WHAT i HAVE BEEN TOLD

re: Q1 2008 - Client OS Vulnerability Scorecard

vook — Wed, 18 Jun 2008 08:20:53 GMT

Further, it has been reported that Vista is 873% more secure than Amiga OS, and 1283% more secure than Tandy's "Personal Deskmate". BeOS users too have been exceedingly vulnerable to attacks.

Finally, Microsoft has proven that todays Vista is more secure two years ago than a Linux from two years ago is today.

re: Q1 2008 - Client OS Vulnerability Scorecard

jrjones — Sat, 21 Jun 2008 01:25:53 GMT

> @James

> And just how old is Ubuntu 6.06? Is it as old as Windows 2000?

> JamesNT

Ubuntu 6.06 LTS (Long-term support) shipped about 2 years ago on June 1, 2006. So, if you want to put it in terms relative to other OSes:

* 6 years newer than Windows 2000

* 3 years newer than WS2003

* 1+ year newer than RHEL4

* Roughly 6 months older than Windows Vista

* Roughly 9 months older than RHEL5

So, yeah, ancient.

Seriously, 6.06 was the Enterprise-support version of Ubuntu that was available during the time period. The newer ones you mention only get updates for an 18 month period and then are abandoned - from a business perspective this is not an option for most companies.

re: Q1 2008 - Client OS Vulnerability Scorecard

Liz — Wed, 25 Jun 2008 01:32:23 GMT

YOU SUCK WINDOWS!!!! muwahahaha get a mac!! or just dowload lynux!!!!

re: Q1 2008 - Client OS Vulnerability Scorecard

Majel — Wed, 25 Jun 2008 04:33:31 GMT

I just downloaded the Service Pack 1 for Vista.

My system now runs slower and I can't get my Internet Explorer to connect or stay connected when I can get it to talk to me.

I am forced to use Firefox to get on line.

re: Q1 2008 - Client OS Vulnerability Scorecard

James McDonald — Wed, 25 Jun 2008 18:39:53 GMT

A lot of the time I am unable to send messages. It tells me that I cannnot send because there is an error. I think my mail is being checked. Also I cannot find a way to delete items a lot of the time and cannot find the Uninstall program. Help me.

James McDonald

re: Q1 2008 - Client OS Vulnerability Scorecard

wonstepp — Sat, 28 Jun 2008 16:29:35 GMT

WOW Its funny how linux is less secure then MS Vista and Vista is built on the linux kernel. Stop and think about this for a minute. Okay enough of that now lets have an internet explorer that asks you if you are sure you want to go to every single website. Is that really security or is it border line stupidity. About 80% of MS Vista users just click yes when they are asked if they are sure they want to do this. They really have no clue. You could a popup that asks if you would like to FDISK your hard drive and they will click yes. No I think Microsoft has taken the easy way out. It is up to the endusers that have no clue what they are clicking OK to and Microsoft will say they authorized it that is why they lost the OS or got infected beyond repair.

Evaluación de vulnerabilidades de Seguridad de Windows

Seguridad — Mon, 30 Jun 2008 17:48:07 GMT

Jeff Jones ( http://blogs.technet.com/security/archive/2008/05/15/q1-2008-client-os-vulnerability-scorecard

re: Q1 2008 - Client OS Vulnerability Scorecard

happyjoe — Thu, 03 Jul 2008 04:10:37 GMT

I created my own OS. Works perfect for me.

re: Q1 2008 - Client OS Vulnerability Scorecard

banana's — Fri, 04 Jul 2008 13:26:57 GMT

Microsoft Vista is class. Pure secure and non-vulnerable it is also extremely fast.

re: Q1 2008 - Client OS Vulnerability Scorecard

Microsoft are a bunch of liars — Tue, 08 Jul 2008 02:04:34 GMT

MS Windows has been nothing but crapola since day one. Nothing more than deceitful marketing gimmics fueled by the desire to make money rather than quality. Just get a FREE copy of "tried, tested and true" linux or even Red Hat for a hunder bucks if you need support and flush your copy of windows down the toilet cause it's a piece of ....

re: Q1 2008 - Client OS Vulnerability Scorecard

Debbie — Wed, 09 Jul 2008 21:37:13 GMT

I am in need of a security system for our home PC. We had McAfee and do not want it again. What is your best suggestion for Windows Vista on security? Thank you in advance

Debbie Landers

re: Q1 2008 - Client OS Vulnerability Scorecard

Tabasco — Sat, 12 Jul 2008 17:19:16 GMT

Don't go with Symantec... It's serious bloatware, although it does work pretty well. I've found PC Tools Spyware Doctor w/ Av to work very well, with no issues, and it's inexpensive and well-supported. Also, stay away from iolo's System Mechanic Pro. The company's support is poor and although the product is getting better, it still is pretty buggy. Avast! is a great free AV, and it has saved me from many malware incidents in the recent past. -- Microsoft also has a 90-day free trial for OneCare, which is a nice tool and integrates well into Vista, not to say that the others don't, but OneCare just seems to do it with more finesse. In the end, anything you have will be better than not using anything. Never go online naked. ;-)

re: Q1 2008 - Client OS Vulnerability Scorecard

Keith — Mon, 14 Jul 2008 03:35:29 GMT

I am still amazed at the way Microsoft allows its OS to be loaded on most everything, hardware wise. And they design it for that… as suppose to Mac OS’s very limited hardware platforms. Sure if you limit yourself to a specific hardware setup(s), building a stable OS is much, much easier. I see the real problem is every one wants to run Microsoft OS’s, and Microsoft has worked to feed that market demand at a cost to itself, mainly in criticism when it doesn’t work right the first time out of the box.

I would suspect the Vista fiasco is more of warning shot to hardware manufactures and OEMs. You can’t blame the OS for everything! It is widely known that Nvida and ATI had significant Vista driver issues – yet the blame was put upon the OS. OEM’s that keep this up will some day be looking to bid on the opportunity to supply hardware for the OS, as quality control is going to become the next big issue for Microsoft in the Windows 7 release. Microsoft needs a new winning OS to increase their sales and reputation.

When people post an opinion that the OS “sucks”, they should list why? I bet 9 out of 10 times they are trying to load it on some home built PC they built with hardware they choose because some tech web site made it sound great. Then they wonder why they have to hack it, tweak it or just complain about it. It has to be the OS they think… Hardware vendors are the real culprit here; yes they keep things cheaper at a significant quality cost which will affect your experience with the OS. This is why Mac OS X seems to have a more “happy” user base; they are not looking for specific North Bridge chipset or memory clock rates. They are looking for quality and immediate usability.

In the end, try loading Mac OS X 10.5.x on a Intel “Hackintosh” setup – most the time is doesn’t work the first time out of the box, if at all.

Apple is about quality, while Microsoft is compatibility.

re: Q1 2008 - Client OS Vulnerability Scorecard

Yert — Tue, 22 Jul 2008 02:29:01 GMT

This is unsurprising of course, with the events of the early decade (Microsoft focused on security); what I would like to see on this chart is XP in its first year or two. That would bring some perspective as to how secure Windows is now.

re: Q1 2008 - Client OS Vulnerability Scorecard

Dagoth Pie — Tue, 22 Jul 2008 13:46:35 GMT

you know its funny i saw this same comparrison on another site when vista first came out, not even comparing a current version of ubuntu....

re: Q1 2008 - Client OS Vulnerability Scorecard

Bob — Wed, 23 Jul 2008 19:53:55 GMT

@ M SHARON Tuesday, June 17, 2008 6:52 PM

Learn how to use a computer.

re: Q1 2008 - Client OS Vulnerability Scorecard

Ron Jon — Thu, 24 Jul 2008 00:49:06 GMT

Hmm... So basically the open source based operating systems have more people finding and fixing bugs faster versus Microsoft. That explains why Vista and Windows XP are garbage.

re: Q1 2008 - Client OS Vulnerability Scorecard

Andrew — Fri, 25 Jul 2008 05:59:54 GMT

Yeah, pretty much. the report mentions vulnerabilities that were addressed, but not vulnerabilities that were identified. And you'll notice that all of vista's vulnerabilities and most of xp's that were fixed were critical... meaning they don't fix the smaller ones.

re: Q1 2008 - Client OS Vulnerability Scorecard

prathap — Mon, 28 Jul 2008 00:11:53 GMT

I bought quickbooks version 5 basic and then bought a computer preinstalled with windows vista. but unfortunately, quickbooks version i bought works only in xp and no help from either side.

re: Q1 2008 - Client OS Vulnerability Scorecard

Luke B — Mon, 28 Jul 2008 12:42:55 GMT

What absolute garbage. This positions itself as a tally of how many security vulnerabilities were found, when in fact it is a tally of who PATCHED the most vulnerabilities.

I can't believe Microsoft is spinning the fact that Apple found and CLOSED more security holes in OS X than Microsoft did in Windows as a positive thing.

I have never seen such nonsense. Guess what moron... a patched vulnerability isn't a vulnerability any more... Every piece of software has security holes in it, all this report proves is that on an Apple or Linux OS you're about 4 times more likely to see those holes plugged than on Windows.

And don't try to pretend that there are not more unpatched security holes in vista... there are, otherwise you would have used the figures for the number of holes detected, or the percentage of known holes which were patched, but you didn't

In fact by your own admission, this is not even a measure of the security of an OS. Taken from the report itself, you claim...

"Is there anything in this analysis which will prove one piece of software is “more secure” than another?

No, not really."

So if you know it is not a measure of security, why does Microsoft use this on their "learn the truth" about vista campaign to claim vista is "89% fewer vulnerabilities than Mac OS X Leopard".

FACT. In the first three months of the year, Microsoft, arguably the biggest, most influential software company on the planet, managed to close only 9 of the potentially millions of software bugs and security bugs (both known, and as yet unknown) in it's core OS.

FACT. In the same time period, most linux distros, mostly staffed by hobbyists and noble-do-gooders, managed to find on average about 70 vulnerabilities AND CLOSE THEM (as in stop them being a vulnerability any more) out of the millions of potential (discovered and as yet undiscovered) security vulnerabilities out there.

FACT. In the same time period Apple, a company with arguably the least reason to need to patch major security vulnerabilities (Small consumer market share, but very very small market share in business and enterprise, where these potential vulnerabilities can be really devastating) managed to CLOSE the most vulnerabilities of everyone. They found and closed approaching 90 of the potentially millions of discovered and undiscovered software bugs in it's core OS.

Does that mean that Mac OS X is the most secure then? NO, that's the point, the software is different, no-one knows how many bugs there are in the software, they're undiscovered. The difference is this, Microsoft seem only to be interested in plugging a few of the biggest security holes, and probably not until they are discovered and become quite high profile, Apple and most Linux Distros on the other hand, seem committed to closing as many holes as possible, big or small, before they have the chance to be exploited on any large scale.

It's easy to say "We had to put out the least fixes, so our OS must be the most secure", but the facts just don't support that hypothesis. And the real world experience doesn't match up either. Find me a Mac user who has been affected by one of these unpatched vulnerabilities, and i will show you 500 Windows users who claim to have been hacked, had spyware silently installed, downloaded virus's and generally mucked up their windows computer. You can't convince someone their real life experience isn't real just by quoting numbers at them... the fact remains, their windows OS is still slowed down to a crawl by malware, and all the software they run to stop it. And all it takes is one peice of malware, and all your good work is ruined, it can open up as many security holes as it likes.

re: Q1 2008 - Client OS Vulnerability Scorecard

Vlad — Tue, 29 Jul 2008 06:31:33 GMT

To Luke B: - what a bunch of unreasonable and illogical statements!

"a patched vulnerability isn't a vulnerability any more"

"AND CLOSE THEM (as in stop them being a vulnerability any more)"

- This is nonsense! It shows that your understanding of the problem is very shallow. Do you really believe that every O/S installation gets patched immediately after a new security fix released? In fact releasing a patch makes the vuln even more dangerous since the patch could be relatively easily reverse engineered and exploited.

"Microsoft, arguably the biggest, most influential software company on the planet, managed to close only 9 of the potentially millions of software bugs and security bugs (both known, and as yet unknown) in it's core OS."

- You're blaming MSFT for producing and reporting less security bugs than competitors? That sounds like blaming Honda or Toyota for making fewer recalls than other companies, or accusing people of not reporting their home security codes and time of absence to public.

Every published vulnerability, even fixed and "closed", is a threat to large number of customers and is by far more dangerous than an undiscovered one.

"Microsoft seem only to be interested in plugging a few of the biggest security holes, and probably not until they are discovered and become quite high profile. Apple and most Linux Distros on the other hand, seem committed to closing as many holes as possible, big or small, before they have the chance to be exploited on any large scale."

- I understand your skepticism but be a little bit more fair in your assumptions. Give us some facts rather than just empty rhetoric. No one tries to pretend that there are not more unpatched security holes in Vista. However, also take into consideration that Vista is being much heavily pentested than any other O/S and don't forget that only little market share prevents Mac and Linux customers from being targeted by criminals on a much larger scale.

re: Q1 2008 - Client OS Vulnerability Scorecard

Martinos — Wed, 20 Aug 2008 22:51:00 GMT

Here is intresting people� Lets talk!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Kleanthe — Thu, 21 Aug 2008 00:54:53 GMT

The site�s very professional! Keep up the good work!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Kostas — Thu, 21 Aug 2008 00:54:57 GMT

Hi this is a very informative site!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Charalampos — Thu, 21 Aug 2008 00:55:04 GMT

Hi this is a very informative site!,

re: Q1 2008 - Client OS Vulnerability Scorecard

Paul M — Mon, 01 Sep 2008 17:37:33 GMT

one of the bigger issues with windows is that there are quite a number of severe bugs which have been in it a long time - not just days and weeks but months and years.

therefore to properly compare, you need a measurement of bug severity multiplied by the number of days the bug remained unfixed.

re: Q1 2008 - Client OS Vulnerability Scorecard

Jason — Fri, 05 Sep 2008 00:51:49 GMT

I would like to have the listed vulnerabilities for investigating, as I cannot find this list. The score card lists the locatsions, but I would like to analyze your compiled data.

I think this is to be a fair enough request, so your investigation can be scrutinized openly.

re: Q1 2008 - Client OS Vulnerability Scorecard

Keep_FreeBSD_FREE — Sat, 21 Mar 2009 08:23:57 GMT

Well how come FreeBSD didn't figure in this survey... Oh that's because its only had 2 security vulnerabilities in the core Kernel in 10 YEARS...

Someone spouted about how good Vista is security wise... forget it.. Swiss Cheese springs to mind when I see some of the "known" unfixed vulnerablilities... At least someone fixes them (or you can try to fix them yourself with Linux because you have access to the source code...)

Come on Microsoft release the source under the GPL... let everyone have a laugh at how bad your code really is....

re: Q1 2008 - Client OS Vulnerability Scorecard

tower defense — Tue, 14 Apr 2009 10:10:53 GMT

The report mentions vulnerabilities that were addressed, but not vulnerabilities that were identified. And you'll notice that all of vista's vulnerabilities and most of xp's that were fixed were critical... meaning they don't fix the smaller ones.