Jeff Jones, the Security Strategy Director for Microsoft’s Trustworthy Computing group, has assembled a 1-year analysis of Vista’s vulnerabilities. In his 6-month review Vista came out on top when pitted up against other operating systems, and stretching the timeline out over a 1-year period didn’t yield any different results.
In his report he wanted to clarify that he is not reviewing the actual security of an operating system, and is just using vulnerability reports to compile his results:
So, this is not an analysis of “the security”. I don’t look at protective mechanisms and see how they might protect in certain scenarios. Nor do I look at security features and see how they might enable better privacy or help secure business process. And I certainly don’t look at how easy it is to manage the security policy for these products.
The chart below covers the first year of vulnerabilities for 5 major operating systems. Vista was analyzed during November 30, 2006 and November 30, 2007 while the others were analyzed during their first year of release. And third-party applications commonly included with the Linux distributions, such as OpenOffice and Gimp, were ignored to keep things fair.
The results are obviously point to Vista being a secure operating system. Jones said that he plans to do a 2007 (January 2007 to December 2007) vulnerability comparison of the various operating systems as well. What I would really like to see is a comparison of the amount of time vulnerabilities have gone unpatched. I wonder how that would affect the results?
An operating system is only as secure as the amount of spyware the users willingly install…
Sometimes I wonder if my friends purposely install spyware so they’ll have an excuse to talk to me. That’s really the only logical explanation for how they’d continually be infected. =P
The thing that amazes me is how people can actually be productive when they have 5 toolbars installed in Internet Explorer. They normally take up over half of the screen.
Well, most people who are really productive on the Internet don’t use Internet Explorer, and they certainly don’t install toolbars “just for the heck of it”. The users I know who have a bunch of toolbars all think that it’s normal to get them so they don’t really do anything about it. It’s when their computer starts acting up that they actually begin to wonder what they might have done wrong. I still hate those programs that prompt you to install different toolbars because inexperienced users will just click the default box; and end up with an enormous amount of toolbars. Poor chaps.
As I’m sure you know, the whole point of spyware is to trick users into installing malware onto their computers. That’s the whole problem with malware. If a user decides to install something, even a good Anti-Virus program or a firewall program wouldn’t be able to stop them. Buying a good Anti-Virus/Anti-Spyware program is only half the battle. The other half is educating users about what they should or what they shouldn’t click on. It’s a shame that everyone I know is too stubborn to admit that they had ever clicked on a bad link. Oh well. It’s their computer, not mine.
_______
I’m actually surprised about the results. Don’t you think it’s odd that an open source operating system is patched much more than commercial operating systems? Sure, there aren’t as many hackers working to exploit Linux, but it’s still quite an achievement.
Somehow, I find it difficult to fold this sentence into my brain. Isn’t pretty much everything in the Linux distribution a third-party software?
I mean, take Red Hat for example. What software are they developing in-house? Anaconda installation GUI. Maybe bits and pieces of RPM, although it’s an external project now, from what I know. Shells? Compilers? Even the Linux kernel itself is not an in-house project, even though they are spending plenty of time on that… Where does one draw a line between in-house application and a third-party one? And then, is it fair to compare what’s left to what is offered by other operating system vendors?
I hate those as well. That’s what really gets a lot of people, especially since all of the big companies (Google, Yahoo, Microsoft, etc…) are doing it now.
I guess I just worded that poorly. They didn’t include things that aren’t commonly found in both Windows and Mac OS X.
I see… Thanks for the clarification.