FUD Alert! Vista Security Report Card

I saw this article summarized on Slashdot this morning. Headline: Microsoft Claims ‘Vista Has Fewer Flaws Than Other First-Year OSes.’ According to the article, Vista released 17 security bulletins and fixed 36 vulnerabilities in the first year, which is a big improvement over XP’s hit counts of 30 and 65 respectively. The article continues by comparing these figures to the first-year vulnerability numbers for Red Hat (360), Ubuntu (224) and Mac OS X (116). One security specialist is quoted, stating that these numbers “prove that [Vista] is quantitatively more secure.” He then chastises other OS vendors for their negligence in QA and security testing.

When you read this article, does it make you doubt the security of Linux and OS X? That’s the intended message, no?

I find this article misleading for a few reasons:

  • Vista numbers are based on actions Microsoft decided to take: release bulletins and fix vulnerabilities. There is an element of subjectivity here.
  • The article discloses that 30 Vista vulnerabilities remain, which brings the number of known vulnerabilities to 66. Sometimes, ‘known’ translates into ‘disclosed’.
  • An assumption is made that the writing of Vista and the compilation of a Linux distro are comparable activities. They are not, and the vulnerabilities associated with these activities likely have different statistical distributions.
  • The scope and risk of the vulnerabilities fixed are not discussed. Microsoft may have fixed 17 big problems, where as Ubuntu fixed 224 small ones. For all we know, the cumulative effect could be equal.
  • The security specialist states that Vista underwent more testing than the other OSes. He makes no reference to the relative quality of that testing. “More” doesn’t mean “better.” And what does “more” mean anyway? Was the testing measured in dollars spent? Number of testers? Number of test cases?

An analysis of the actual report would probably provide more clarity. Moreover, independent verification of the numbers would boost the integrity of the conclusions drawn. The validity of the actual results, however, does not change the intent of those who report on them. FUD, I say!


Tags: , , , , , , , , ,

4 responses to “FUD Alert! Vista Security Report Card”

  1. Roy Schestowitz says :

    Secunia issue some similar FUD improper counting. Microsoft hides it flaws so that they don’t get count. See http://boycottnovell.com/2008/01/20/analysts-deceive-on-vista/

  2. Roy Schestowitz says :

    [Pedant (many typos)]: Secunia issued some similar FUDinvloving improper counting. Microsoft hides its flaws so that they don’t get counted.

  3. Michael Johnson says :

    I haven’t looked at this particular report, but typically the 360 or 224 vulnerabilities fixed are for the entire distribution – including things like OpenOffice.org, Firefox, and any other of the thousands of applications the typical Linux distro makes available. This is compared to the base Windows install, including only the applets installed by the OS. In other words, it’s an apples to oranges comparison.

    If instead you include only the core files needed for a desktop with a few utilities (X Window, media player, simple text editor, terminal, etc) and simple games (solitaire, majohng, etc) you’ll get a much better picture.

    If you look at the stats page from Secunia
    http://secunia.com/product/14068/?task=statistics – ubuntu 7.04 stats

    A quick scan of the actual vulnerabilities for Ubuntu 7.04 reveals such programs as OpenOffice.org, MySQL, postgresql, PHP, xen (virtualization), vmware (commercial virtualization), koffice, various TeX related packages (a high-end layout system), ImageMagick (image manipulation toolkit), Apache (web server), GIMP (think slightly lower-end Photoshop), tcpdump (network monitoring tool), Evolution data server (equivalent to MS Exchange) and more.

    Now, granted, there are several that affect a basic install, even from this list, but look how many are packages MS would charge extra for. Apache+Evolution+PHP+xen+MySQL+PHP is the equivalent of several thousands of dollars worth of extra software from Microsoft. These all ship with Ubuntu.

    Also, as mentioned, the severity of the vulnerabilities probably don’t even compare. In fact, on Secunia’s front page is an extremely critical issue for MS Excel that allows a remote attacker to take over a Windows machine with Excel installed.

    For Ubuntu 7.04 there were 0 extremely critical vulnerabilities. Also 100% of all known vulnerabilities in Ubuntu have been patched. For Vista there’s unpatched vulnerability (out of 21! Ubuntu was listed with 103) and one extremely critical vulnerability. In other aspects they are similar, percentage-wise. But Ubuntu is dealing with literally thousands of applications and utilities while Vista is dealing with… well, Vista.

    Sorry to get so long winded on this, but this is a site about FUD – and Microsoft is expert at dishing it. But when you compare what is *really* being reported things look different.

  4. Stephen Boyd says :

    If Microsoft did in fact say ‘Vista Has Fewer Flaws Than Other First-Year OSes.’ Then that is misleading. I’m not aware of any security flaws in Amiga os/4 and that was released within the last year. Hope someone sues them over that 😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: