During the Vista's first year of availability, 17 security bulletins, patching 36 vulnerabilities, were released for the OS on occasions, according to Jeff Jones, security strategy director in Microsoft's Trustworthy Computing Group.
Twelve months after XP's Oct. 25, 2001 release, Microsoft had distributed 30 bulletins for 65 flaws, on the OS. However, because the software giant had not yet instituted its Patch Tuesday program, the bulletins were distributed on 26 different days, according to Jones.
The security strategist compared Vista's rookie-year record to other operating systems that have been available for more than 12 months and found that the latest version of Windows has had fewer flaws over that period than Red Hat's Enterprise Linux 4, Ubuntu 6.06 LTS, and Apple's Mac OS X 1.04.
Jones said that Microsoft's patching policy has led to IT professionals spending less time fixing Windows PCs than other operating systems.
“Patch events [distributions of one or more bulletin] are an indirect measure of how the combination of product security quality and vendor update release policies and processes impact security administrators – specifically, how many days in the year did the administrators have to mobilize to deploy one or more security updates,” Jones said on his security blog. “My analysis found that administrators were required to mobilize much less often for Windows Vista than any other product examined.”
Microsoft released Vista for enterprise clients, along with Office 2007, in November 2006. The home version was distributed two months later.
The Redmond, Wash.-based corporation has said it is planning to release Service Pack 1 for Vista during 2008's first quarter, and Service Pack 3 for XP during the first three months of this year.
Eric Schultze, chief technology officer at Shavlik, a patch management vendor, told SCMagazineUS.com today that “these are statistics – they can make them look very good for themselves, but I can also make the statistics look very bad for them.”
“They talk a lot about how Vista has received fewer patches, but if I look at December 2007, there were more patches released for Vista than any other operating system, and if I look at August, October and December 2007, more than half of the patches released each month were applicable to Vista,” he said. “I think that part of it is spin, and part of it is irrelevant. I think there was a focus on the greater number of vulnerabilities in XP than the number in Vista, and it really comes down to how you define vulnerabilities. Sometimes, one patch can fix 10 vulnerabilities, and as an end-user, I don't care how many vulnerabilities there are, I just care that they're fixed.”
Dave Marcus, security research and communications manager at McAfee Avert Labs, told SCMagazineUS.com today that Vista has a number security improvements, but that it has not yet been “tried and tested” as a widely deployed operating system.
“[Jones] makes a really strong argument in his blog, but you can't get around the fact that uptake has been way behind what XP's was for the same period of time. I don't know any businesses or any military or federal organizations that are running Vista,” he said. “If no one is running Vista, a malware writer does not have any reasons in writing malware for it.”