James O'Neill's Blog

January 24, 2008

Vista vulnerabilities – a comparison.

Filed under: Apple,Linux / Open Source,Security and Malware,Windows Vista,Windows XP — jamesone111 @ 10:32 pm

Perhaps it’s a bit strong to say “if complete and utter chaos was lightning, Jeff Jones would be the sort to stand on a hilltop in a thunderstorm wearing wet copper armour and shouting ‘All gods are bastards’ ” (as a favourite quote  has it)  but you must admit it’s a better opening than “Blimey, XP was better than we thought”, or “See, there was no need wait for Vista SP1“.

Jeff, you see, has posted on his blog an analysis of Vulnerabilities in the first year of life of Windows Vista, Windows XP, two popular linux distros and Apple’s Mac OS X 10.4. Here are the bare numbers (though you should read the whole thing)

Metric Windows Vista Windows XP Red Hat rhel4ws Reduced Ubuntu 6.06LTS Reduced Mac OS X 10.4
Release Date 30-Nov-06 25-Oct-01 15-Feb-05 01-Jun-06 29-Apr-05
Vulnerabilities Fixed 36 65 360 224 116
Security Updates 17 30 125 80 17
Patch Events 9 26 64 65 17
Weeks With at least 1 patch event 9 25 44 39 15

To explain the numbers a little, an update might fix more than one vulnerability, and more than one update might go out out in a patch event. Apple seem to roll all their fixes for a given event into a single update.

Vista is the newest of these operating systems and you could argue that the art of software engineering has advanced. But then Why did a 2001 Microsoft OS fare so much better 2005/6 products?

With all the claims of the Linux community like “With many eyes all bugs are shallow” – how did Red Hat have 360 vulnerabilities ? They released Patches 44 weeks out of 52, 20 of their patches came in weeks when there had already been a patch. Ubuntu didn’t fare much better on that score.

If security vulnerability counts are indicative of bugs in general then Vista shipped in a better state than XP; Vista will go longer to SP-1 than XP did, it seems that they’ll have roughly the same number of vulnerabilities fixed at SP-1.

So that’s all good – why the “Wet copper armour” quote – and Gizmodo agrees with me ? Well, to bend another favourite quote, “The Internet is more full of exciting trolls and excruciating fan boys and girls than a pomegranate is of pips”. Most times I mention Apple I get visited by one set or the other. Jeff just called their babies ugly. He’s happy to discuss it. His document explains how he got to the numbers and he encourages people to do their own analysis. And he faces down point that “Of course you think the Microsoft products are good because you work for Microsoft” by pointing out it’s the other way around, he works for Microsoft because he thinks the products are good. Like me. Like most of us.

This post originally appeared on my technet blog.


Blog at WordPress.com.

%d bloggers like this: