Why Vista is more secure than the rest

[NathanE]

See summarY: http://blogs.technet.com/mbullock/a...ulnerability-report-published-for-year-1.aspx

See detail: http://www.microsoft.com/windowsserver/compare/ReportsDetails.mspx?recid=54&tapm=A80S05B05

Click the button to download/view the PDF document.

 

[NathanE]

All written by Microsoft and usual tosh from MS. Jeff Jones's results have been proved to be floored in many ways, many times.

If you've posted this and are serious then......wtf? If you posted this to put a smile on my face then

I posted it and are serious Why is it so hard to believe? You can do the research yourself if you like and you'll come to the same conclusion. Net conclusion will be that Vista has had significantly less and less severe vulnerabilities in general than XP at this stage in its lifecycle.

So are you saying that Vista has had more severe holes than XP? Is that what you intended to say? Surely not? I don't think even die hard open source advocates would be that fatally misguided.

 

[NathanE]

Nope... Vista passed XP's year 1 sales figures within the first 4 months

 

[NathanE]

Looks like you believe the propaganda from the other side of the fence.

Burnsy

But even Linus Torvalds commented a few months ago saying that Vista's security appears to be holding up much much better than XP's did

IMO this isn't about propaganda. It is about facts. The Microsoft document clearly states all of its sources/references so that others can duplicate the research and, hopefully, come to the same conclusion. Obviously that doesn't automagically make the research correct though... and I dare say that the Linux distro's could have been stripped down a bit more from all their default install bloat. He commented in the article that he only disabled packages which he "felt" users would disable... that is wide open to opinion. But TBH you could write a whole thesis on just how to go about comparing Windows and Linux in security terms... and IMO that's not really the primary concern of the research.

 

[NathanE]

Little confused? You say its all about facts but then say that the research may not be correct? That was the point I was trying make. As for the rest, I totally agree. Good post.

Yes but let's not get carried away with the whole Linux vs Vista thing. The point is that Vista is a vast improvement over XP for security

 

[NathanE]

I did a little random googling last night, and the amount of random blogs and tech sites which agree with MS is staggering.

Yes but that's not really surprising The research's overall conclusion is valid IMO. Yes it isn't absolutely perfect and I can imagine quite a few Linux advocates aren't terribly happy with the report. But they should easily understand the report's reasoning and they should definately be able to agree with Vista being more secure than XP. But clearly a little fine tuning of Linux's installed packages isn't going to make a vast difference to the outcome. Even from my own memory Vista had very very very few major security flaws last year, and even the handful of "major" ones had quite good mitigating factors. Linux on the other hand... I can remember getting probably 5 to 10 CERT bulletins in 2007... and CERT generally doesn't get out of bed unless something is really serious. But as I said I don't think this report was meant to "show up" the third party OSes. It was primarily for showing that Vista isn't quite as bad as the mass technology media makes out...

 

[NathanE]

Loads of people dispute it... people on this very forum have slated Vista in the past as being "full of holes" or "swiss cheese"... and of course so has the technology media which is where those people got their misguided views from in the first place.

DEP and stack overflow protection were added yonks ago. XP SP2 for DEP and even further back for stack overflow protection. But that was a tweak to the VC++ compiler... not the OS. IIRC VC++ was the first compiler to add it - since we seem to be counting brownie points here :/

 

[NathanE]

Haha, the VC++ (/GS) then was easily defeated (http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf). I don't know what its like these days.. GCC 2.7 had Stackguard support since (1999/1998). /GS in VC++ was around 2003 ish I think..

*shrugs* Not quite sure why you've turned this into a ****ing contest? End of the day all these little ring3 protections are futile... they are just there to make it harder. Compiler stack overflow protection were really just a stop-gap until the No Execute bit came along in processors.

If you take a look at how many programs on vista are compiled with ASLR or using unsafe functions vista still has a way to go.

Yup... however at least around 95% of the core OS has got both DEP and ASLR enabled.

IE7 has DEP and ASLR actually. Little known fact... As long as you have UAC enabled and hence Protected Mode then it has DEP & ASLR. Because IE7 on Vista runs each tab/instance in a seperate "worker process" called ieuser.exe which has extremely low security privileges as well as having DEP & ASLR. The parent process "iexplore.exe" is nothing more than a GUI shell.

See this screenshot:

I like the way they don't put any BSD's on there. OpenBSD would seriously skew the statistics.

It will be interesting seeing Server 2008's report in a years time.

Then again, this is pointless.. this stuff will never be fixed until developers get a good security background.

To be honest any developer worth their salt knows about security nowadays.

Exactly, MS are known for silently patching security vulnerabilities as Product Updates/Enhancements. You can't compare the hundreds of packages in the linux distro repositories with vista core OS code.. It's like including 3rd party programs like flash/firefox etc.. I don't really know a good metric to compare OS security realistically..
0-Day Patch - Exposing vendors (in)security performance (http://www.blackhat.com/presentations/bh-europe-08/Frei/Presentation/bh-eu-08-frei.pdf). Gives some nice realistic statistics from the major OS vendors on 0-days. Who knows how many unreported vulnerabilities are out there.. I wouldn't like to guess.

To be fair many of the patches to Vista in the last year weren't "core OS". Many of them were just peripheral programs like even Windows Defender! Hunk of junk that it is...

I find that PDF a little misleading. I mean just from observing their graphs on the 3rd page they seem to be discounting the significance of actually getting the patch onto customer servers. It doesn't matter if you release a patch within 5 hours. If it takes another month or even years for that patch to reach 95% of your customers then you have still failed. Why is it seemingly only Microsoft that takes patch delivery very very seriously?