Jeff Jones, the Security Strategy Director for Microsoft’s Trustworthy Computing group, has assembled a 1-year analysis of Vista’s vulnerabilities. In his 6-month review Vista came out on top when pitted up against other operating systems, and stretching the timeline out over a 1-year period didn’t yield any different results.
In his report he wanted to clarify that he is not reviewing the actual security of an operating system, and is just using vulnerability reports to compile his results:
So, this is not an analysis of “the security”. I don’t look at protective mechanisms and see how they might protect in certain scenarios. Nor do I look at security features and see how they might enable better privacy or help secure business process. And I certainly don’t look at how easy it is to manage the security policy for these products.
The chart below covers the first year of vulnerabilities for 5 major operating systems. Vista was analyzed during November 30, 2006 and November 30, 2007 while the others were analyzed during their first year of release. And third-party applications commonly included with the Linux distributions, such as OpenOffice and Gimp, were ignored to keep things fair.
The results are obviously point to Vista being a secure operating system. Jones said that he plans to do a 2007 (January 2007 to December 2007) vulnerability comparison of the various operating systems as well. What I would really like to see is a comparison of the amount of time vulnerabilities have gone unpatched. I wonder how that would affect the results?