Linked by Thom Holwerda on Mon 25th Jun 2007 20:40 UTC, submitted by anonymous
"I was somewhat surprised (but pleased) at the level of interest back when I published my Windows Vista - 90 Day Vulnerability Report. It was about the earliest span of time I thought might give us some indicators, and the indicators did look good. Six months is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain."
Thread beginning with comment 250696
To view parent comment, click here.
To read all comments associated with this story, please click here.
To view parent comment, click here.
To read all comments associated with this story, please click here.
Recent Original Stories
Recent Comments
Headlines
Random Comments
Random Stories
Random OS Link
Member since:
2006-01-19
Here is my critical analysis of the vulnerability report (the pdf):
First of all, I wanted to know who payed for this analysis. And I was not really surprised:
"Jeff Jones is a Security Strategy Director in Microsoft's Trustworthy Computing Group"
Second, I read in detail about the used metrics, to find the usual flaw (comparing Windows to a full Linux distro), but did not find it. They actually made some effort to strip down the distributions a little to make the feature set covered more equal (although it was not mentioned in detail how much the distros have been stripped down). Nevertheless, KUDOS so far!
Third, I wanted to see different metrics, like "Worms in the Wild" during those 6 Months, or "Number of days during which a vulnerability was actively exploited before a fix arrived". None to be found.
So the most conclusive thing which remains is the following:
In this report Windows XP looks as if it's security were FAR better than for any Linux distribution. As we all know, Windows XP before service pack 2 was regularly plaqued by Virus and worm outbrakes, which were almost absent for Linux. Even if only counting manual attacks on larger Machines, only 50% of the cracked machines were Linux, when they had a higher market share in the webserver business than 50%. It seems like in this report the wrong metric has been used.
So for XP my conclusion is: There have been so few vulnerabilities disclosed, because nobody who looked out for vulnerabilities had an interest in disclosing them. The crackers kept them to themselves so that they could exploit them, and Microsoft kept them to themselves to avoid bad press. On the other Hand, in an open source distribution there is no such thing as a vulnerability which is not disclosed by the vendor, only the crackers keep vulnerabilities secret.
In effect, one could even twist the conclusion of the study around: Linux had more vulnerabilities fixed than Windows, hence it must be more secure. This would be true for equal total numbers of vulnerabilities in each codebase (an unknown number of course).
I do explicitly not want to make people think that Vista has to be worse than XP because less vulnerabilities have been fixed, it is very likely that the opposite is true, but what I want to clearly say is:
This vulnerability report says absolutely nothing about the risk of beeing exploited with any of the covered systems. It does not say that Vista is better than XP or that Linux is better than Vista ,or the other way around, regarding security.
Sadly, the Microsoft public relations machine does spin it like such a conclusion would be possible. And that is the REAL reason why to be outraged.