Windows Vista was hit by significantly fewer publicly disclosed security flaws in its first year than Windows XP and open source rivals in their first years, according to a report from Microsoft.
The report, written by Jeff Jones, a security strategy director in Microsoft’s Trustworthy Computing group, is part of Microsoft’s effort to show that its work on redesigning the security architecture and adding new security features to Vista have paid off.
Jones’ report comes in the wake of an InfoWorld petition signed by 30,000 people that asks Microsoft not to discontinue Windows XP as planned on June 30, but to instead keep it available alongside the newer Windows Vista indefinitely.
Jones also found that changes to the way Microsoft handles patching has resulted in less work for system administrators on Vista compared to Windows XP.
The report also comes on the heels of figures from Secunia, which reported fewer vulnerabilities for Windows in 2007 compared to open source operating systems in the same time period. However, Microsoft’s report compares the way each OS fared in its first full year of supported distribution.
Comparisons between different types of operating systems on the basis of numbers of public bug reports are often downplayed by security experts, who say they are only part of the picture. For instance, Linux-based OSs are composed mainly of third-party components whose bug reports are all known publicly, whereas third-party components play a small part in Windows and many bugs may be uncovered but not made public.
However, Microsoft’s main interest with the new report is in convincing users that Vista – which has received heavy criticism over bugs and usability issues – is more secure and more easily managed than XP.
“The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor,” said Jones in the report. “Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor.”
In its first year Microsoft released 17 security bulletins and patches affecting Vista, compared to 30 for XP in its first year, Jones said.
Microsoft fixed 36 bugs in Vista compared to 65 in XP, and there remained 30 unpatched bugs in Vista, compared to 54 for XP in their first years.
The number of vulnerabilities fixed in Mac OS X and in Linux-based operating systems was higher in their first years, Jones said: 360 in Red Hat Enterprise Linux 4 Workstation, 224 in Ubuntu 6.06 LTS and 116 in Mac OS X 10.4.
The figures for Red Hat and Ubuntu apply to a reduced set of components, which Jones used in order to make the figures more comparable to those of Windows.
“It is a common objection to any Windows and Linux comparison that counting the ‘optional’ applications against the Linux distribution is unfair, so I’ve completed an extra level of analysis to exclude component vulnerabilities that do not have comparable functionality shipping with a Windows OS,” Jones wrote.
Jones compared the number of “patch events” during the year for each operating system, indicating the number of days out of the year that administrators needed to deal with patches for each OS.
“My analysis found that administrators were required to mobilize much less often for Windows Vista than any other product examined,” he wrote.
Vista had nine patch events, XP had 26, Red Hat had 64, Ubuntu had 65 and Mac OS X had 17, Jones found.
Jones admitted that the figures do not indicate which operating system is “more secure” than the others, saying any such analysis would need to look at software quality, administrative controls, physical controls and other issues.
However, he said the figures were nonetheless important within their context. “This report is a vulnerability analysis, which may provide some elements that could be part of a broader security analysis,” he wrote.