Microsoft Reports Vista Less Prone to Vulnerabilities

Despite Apple’s best
marketing efforts to declare the death of Windows Vista, a new
Microsoft security report that details dramatic reduction in
vulnerabilities in the struggling operating system may give it second
life until the introduction of its next-generation replacement, Windows
7.

In the fifth annual
installment of Microsoft Security Intelligence Report being released
later today, the software vendor will detail how Windows Vista has
significantly fewer security problems than either Windows XP or Windows
2000, the previous two iterations of the world’s most widely deployed
operating system.

According to the
report, the number of reported vulnerabilities for the first half of
2008 (January through June) decreased 19 percent compared to the same
period in 2007 and by 4 percent compared to the second half of 2007.

While overall
vulnerabilities continued to decline, Microsoft found that attacks
continue to creep up the OSI stack to the application layer, where more
than 90 percent targeting application vulnerabilities.

Of particularly good
news to Microsoft operating system managers is the security data on
Vista. The report found that five of the top 10 browser-based
vulnerabilities affected machines running Windows XP, while no browser
vulnerabilities affected machines running Vista. The volume of
browser-based attacks also tips away from Microsoft; 42 percent of such
vulnerabilities affect Windows XP machines while the balance affects
third-party applications and operating systems, the report states.

While the report was
prepared by Microsoft’s Malware Protection Center, the data lends
credence to the software company’s claims that Vista is more secure and
provides a greater level of protection than previous Windows versions.
Microsoft is quick to say that this better security posture is a result
of better coding, as well as the culmination of security fixes from
previous operating system versions.

“With each service
pack, it’s a full roll up of the patches, and with Vista, it’s a full
roll up of all the XP service packs,” says Jimmy Kuo, a principal
architect at the Microsoft Malware Protection Center.

The Microsoft
security report comes just a week after the software vendor announced
the beta release of Windows 7 and the development of Microsoft Azure, a
cloud-based operating system. These announcements at the Microsoft
Professional Development Conference in Los Angeles lead some to
proclaim the official death of Windows Vista.

Some reports even
claimed Microsoft was retiring the Vista branding in its marketing,
given the sullen reputation it’s developed over the last 18 months.
Apple, with its witty Mac and PC persona commercials, was quick to jump
on this by airing new spots of the PC guy hitting a buzzer every time
the Mac guy said “Vista.”

Microsoft refutes any
claims that Vista is being retired and says the operating system
remains supported through the development of Windows 7. The company is
continuing to recommend enterprise and business users—which have been
slow to make the transition to Vista—adopt the new operating system to
leverage its security and productivity benefits.

While Microsoft stops
short of calling Windows Vista a stepping stone to Windows 7, it makes
a strong inference, stating that Windows 7 will likely share a common
architecture with Vista, and adopting Vista today will likely make for
an easier transition to Windows 7 when it’s released.

“We expect that
Windows 7 will run most if not all applications that run on Windows
Vista. Because of that, the transition to Windows 7 should be much more
straightforward for customers who move to Windows Vista in the
interim,” Microsoft said in a statement.

Should solution
providers push their customers to adopt Windows Vista, even as an
interim measure? Should end users abandon Windows XP for Vista out of
security concerns? Even Microsoft’s own experts say the answer isn’t
that clear cut.

“Security is always
something you have to measure protection and productivity, and each
company needs to evaluate what that benefit would be,” Kuo said.

The fifth installment
of the Microsoft Security Intelligence Report does claim a significant
victory for Microsoft in the security war—its ability to quickly
identify and resolve security vulnerabilities. Over the years,
Microsoft has developed an agile process for analyzing security
problems and deploying patches. The process is becoming so efficient
that the company claims that it’s often responding to security threats
three times faster than other software makers.

“The attacks are
going to the application layer and distributed across the industry,”
Kuo said. “Other software makers need more and better processes for
patching and with greater consistency.”