Microsoft Reports Vista Less Prone to VulnerabilitiesBy Lawrence Walsh | Posted 2008-11-03 Email Print
The Myths and Truths of Building a World-Class Cyber Defense REGISTER >
An analysis of security vulnerability and attack trends finds the beleaguered operating system is more resilient than its predecessor, Windows XP. The optimistic report may give Vista new life while Windows 7 is in development.
Despite Apple’s best marketing efforts to declare the death of Windows Vista, a new Microsoft security report that details dramatic reduction in vulnerabilities in the struggling operating system may give it second life until the introduction of its next-generation replacement, Windows 7.
In the fifth annual installment of Microsoft Security Intelligence Report being released later today, the software vendor will detail how Windows Vista has significantly fewer security problems than either Windows XP or Windows 2000, the previous two iterations of the world’s most widely deployed operating system.
According to the report, the number of reported vulnerabilities for the first half of 2008 (January through June) decreased 19 percent compared to the same period in 2007 and by 4 percent compared to the second half of 2007.
While overall vulnerabilities continued to decline, Microsoft found that attacks continue to creep up the OSI stack to the application layer, where more than 90 percent targeting application vulnerabilities.
Of particularly good news to Microsoft operating system managers is the security data on Vista. The report found that five of the top 10 browser-based vulnerabilities affected machines running Windows XP, while no browser vulnerabilities affected machines running Vista. The volume of browser-based attacks also tips away from Microsoft; 42 percent of such vulnerabilities affect Windows XP machines while the balance affects third-party applications and operating systems, the report states.
While the report was prepared by Microsoft’s Malware Protection Center, the data lends credence to the software company’s claims that Vista is more secure and provides a greater level of protection than previous Windows versions. Microsoft is quick to say that this better security posture is a result of better coding, as well as the culmination of security fixes from previous operating system versions.
"With each service pack, it’s a full roll up of the patches, and with Vista, it’s a full roll up of all the XP service packs," says Jimmy Kuo, a principal architect at the Microsoft Malware Protection Center.
The Microsoft security report comes just a week after the software vendor announced the beta release of Windows 7 and the development of Microsoft Azure, a cloud-based operating system. These announcements at the Microsoft Professional Development Conference in Los Angeles lead some to proclaim the official death of Windows Vista.
Some reports even claimed Microsoft was retiring the Vista branding in its marketing, given the sullen reputation it’s developed over the last 18 months. Apple, with its witty Mac and PC persona commercials, was quick to jump on this by airing new spots of the PC guy hitting a buzzer every time the Mac guy said "Vista."
Microsoft refutes any claims that Vista is being retired and says the operating system remains supported through the development of Windows 7. The company is continuing to recommend enterprise and business users—which have been slow to make the transition to Vista—adopt the new operating system to leverage its security and productivity benefits.
While Microsoft stops short of calling Windows Vista a stepping stone to Windows 7, it makes a strong inference, stating that Windows 7 will likely share a common architecture with Vista, and adopting Vista today will likely make for an easier transition to Windows 7 when it’s released.
"We expect that Windows 7 will run most if not all applications that run on Windows Vista. Because of that, the transition to Windows 7 should be much more straightforward for customers who move to Windows Vista in the interim," Microsoft said in a statement.
Should solution providers push their customers to adopt Windows Vista, even as an interim measure? Should end users abandon Windows XP for Vista out of security concerns? Even Microsoft’s own experts say the answer isn’t that clear cut.
"Security is always something you have to measure protection and productivity, and each company needs to evaluate what that benefit would be," Kuo said.
The fifth installment of the Microsoft Security Intelligence Report does claim a significant victory for Microsoft in the security war—its ability to quickly identify and resolve security vulnerabilities. Over the years, Microsoft has developed an agile process for analyzing security problems and deploying patches. The process is becoming so efficient that the company claims that it’s often responding to security threats three times faster than other software makers.
"The attacks are going to the application layer and distributed across the industry," Kuo said. "Other software makers need more and better processes for patching and with greater consistency."