Forgot your password?
typodupeerror
Security Operating Systems Software Windows IT

More Than Half of Known Vista Bugs are Unpatched 257

Posted by Zonk
from the bugtracker-is-half-empty-attitude dept.
MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."
This discussion has been archived. No new comments can be posted.

More Than Half of Known Vista Bugs are Unpatched

Comments Filter:
  • by otacon (445694) on Friday June 22, 2007 @10:11AM (#19607757)
    announce something like that? That's not exactly the best PR for Vista. Then again Vista isn't exactly good PR for Microsoft.
    • by ThinkFr33ly (902481) on Friday June 22, 2007 @10:20AM (#19607889)
      Well, they didn't.

      If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.

      Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.

      Gotta love it. Slashdot is the GOP of technology news sites.
      • by morgan_greywolf (835522) on Friday June 22, 2007 @10:35AM (#19608119) Homepage Journal

        If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.


        And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.
        • by ThinkFr33ly (902481) on Friday June 22, 2007 @10:44AM (#19608223)

          And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.
          What a completely nonsensical and inaccurate comparison. Microsoft's Secure Development Lifecycle has almost certainly dramatically improved the quality of their code. This report, plus 3rd party counts of vulnerabilities, support this conclusion.

          But no matter how good your code is, things will be missed. That's the point of having things like Address Space Layout Randomization, IE 7 Protected Mode, Session 0 Isolation, and the dozens of other security layers that Microsoft added to Vista.

          Furthermore, being rated non-critical can often mean that it requires significant user action (like turning off multiple security features) in order to make a user vulnerable.

          What's next, are you going to blame Microsoft when a user smacks their motherboard with a hammer?

          The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

          Otherwise, keep your silly analogies to yourself.
          • by bmw (115903) * on Friday June 22, 2007 @11:23AM (#19608849)
            The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

            That's quite a statement. I don't have evidence supporting anything either way but I still have a hard time swallowing that one given my past experiences. More secure than previous Windows systems, perhaps. Most secure OS on the market? That's probably a bit of a stretch. Personally, I would still be far more comfortable with the security of any of the BSDs, Linux, Mac OS X, Solaris, or any other flavor of UNIX. Not to mention more obscure operating systems.

            Furthermore, it's extremely difficult to prove such things. Simply looking at the number of vulnerabilities is nowhere near adequate and, given your statement, I think the burden of proof would be on you.
          • by TheRaven64 (641858) on Friday June 22, 2007 @11:41AM (#19609097) Journal

            Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :)
            I believe the most secure OS on the market at the moment is probably OpenVMS. Certain others, like Symbian, seem to do well too. I don't know of many Symbian compromises, in spite of the hundreds of millions of Symbian devices that spend 100% of their time connected to the network. I believe even WinCE has a better security record than Vista to date, so it's not even the most secure Microsoft operating system out there... OpenBSD has had a couple of security holes recently, but probably less than Vista.

            It's very difficult to compare the security of OpenBSD to Vista, because of what is included. OpenBSD, for example, doesn't include a web browser in the base system. It includes X11, but not a complete desktop environment. For it to be a fair comparison, you would have to compare OpenBSD + GNOME (for example). On the other hand, OpenBSD includes a number of things that aren't in Vista, such as a compiler, so you might have to throw in Visual Studio. But that's an IDE, so maybe throw Eclipse into the OpenBSD pile...

            • Certain others, like Symbian, seem to do well too. I don't know of many Symbian compromises, in spite of the hundreds of millions of Symbian devices that spend 100% of their time connected to the network.

              Are you kidding me? Try switching your phones Bluetooth on and walking around a city for a few days. You'll almost certainly be asked to receive a .sis file - this is a Symbian virus. The most common exploit in Symbian is actually not a buffer overflow from what I understand but a GUI modality exploit ...

          • Re: (Score:3, Funny)

            by danbert8 (1024253)
            I would argue that MS-DOS is more secure than Vista because you have to be physically present to run programs and you can't run malware in the background.
          • by shaitand (626655)
            'What a completely nonsensical and inaccurate comparison.'

            Your right, let me fix it. A comparable view would be not locking the doors or the windows because you have an alarm that would sound if they are opened.

            'This report, plus 3rd party counts of vulnerabilities'

            This report is from the vendor, it doesn't support anything. As for vulnerability counts, despite Microsoft's love of them it has been well established that they provide no meaningful metric of security.

            'almost certainly dramatically improved the
        • by Zeek40 (1017978)
          I think a more apt comparison would be: "And I think you'll see that thanks to the fact that everything I own is either bolted to the floor or inside a vault, the fact that I leave my windows unlatched is not a critical security issue."
        • Well, yes, if the windows are on the 2nd floor and are covered with bars.
      • by Ucklak (755284)
        Don't have to RTFA

        Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP

        As most analogies suck, if the OS was akin to a house, the 15 vulnerabilites should be something like:

        1. Doorbell light not working
        2. Doorknobs dirty and stick sometimes.
        3. Windows have bad seals and moisture is visible inside.
        4. Garage has unfinished walls
        5. Backyard is not landscaped
        6. House needs to be painted
        7. Carpet needs to be replaced
        8. House backs to a busy
        • Most analogies do indeed suck... especially ones that compare something as incredibly complex as a modern operating system to something as relatively trivial as a house.
      • by Lesrahpem (687242)
        I think the security industry has a pretty skewed idea of "virtually impossible" to exploit. The people who are saying these bugs are impossible to exploit are engineers and PR people, not people who actually have experience exploiting such bugs in the real world.
      • The same report, in fact, also says:
        In the first 6 months, Red Hat fixed 119 of the 129 that had been publicly disclosed at release time, but new disclosures during the period meant that 65 issues were widely disclosed, but unpatched at the end of the first 6 months. 12 of the unfixed issues were High severity and 7 were Medium severity according to NVD ratings.
        and
        During the first 6 months, Ubuntu fixed 145 vulnerabilities affecting Ubuntu 6.06 LTS. 47 of those fixed were rated High severity in the NVD.
        • by Knuckles (8964)
          But of course we don't care about all that here on /.

          Exactly, because for RedHat and Ubuntu they count the fixes for all applications that come with the OS. For example, Ubuntu released Ubuntu Security Notice USN-467-1 on May 31, 2007: "gimp vulnerability". The numbers for Windows, however, do not include the vulnerabilities in Photoshop.
      • Ok, I'll bite. Why GOP?
      • by shaitand (626655)
        'vulnerabilities are not considered "critical"'

        By one source. And yes, this is the same bozo who attempts to claim critical flaws aren't critical at all because there are exploitable and unproven fail-safe security measures that might prevent them from being exploited.

        'Slashdot actually managed to spin a highly positive analysis of Vista'

        Actually you have it reversed. This was Microsoft's attempt to spin an extremely poor security effort in a positive manner.

        'Microsoft is somehow going out of its way *not*
      • by CodeBuster (516420) on Friday June 22, 2007 @01:33PM (#19610761)
        Vista: The program ~_AllofTheBestOffers.exe is attempting to escalate its privilege level, Cancel or Allow?

        User: Allow, Allow, Allow (dangit where is the free pron already?)

        Vista: The program ~tracker.exe is attempting to change the firewall settings, Cancel or Allow?

        User: Change the what? Allow...come on

        Vista: The run32.dll has been altered since the last system scan do you wish to proceed? Cancel or Allow?

        User: sigh....Allow

        Vista: Windows has been updated and must be restarted, Cancel or Allow?

        User: hmmmm....don't remember getting updates but updates are good...Allow

        Several weeks later....

        User: What is going on with all of these popups and free pron offers? Isn't Vista supposed to be more secure?

        Support: Did you try rebooting?

        User: yes, yes, yes I have already done that.

        Support: Well, we can send you a new motherboard w/installation instructions....

        User: Thanks, but my bank is on the other line...I am having some trouble with my accounts. Can I call you back?

        Support: We are here to serve all of your customer service needs.

        User: Uh, yeah whatever, bye.

        The moral of this story is that no matter how many times the user is forced to click Allow, I agree, Yes, or Continue in order to shoot themselves the foot they will find a way to do it guaranteed. It may be true that Vista is better than XP is or was out of the box, but they have to assume that even though the user would have to click Allow ten times for some malware to get through that it will happen and not just to a couple of people either. They should at least tell people that they are working on the fixes instead of saying, "well if you are smart you wont get hacked, just don't always click allow."
    • Re: (Score:2, Insightful)

      Actually, they didn't announce anything *like* that. This article has more slant than... well the original *very slanted* report. The report this article is referencing is actually trying to make the point that Vista is (according to Microsoft's metrics) teh most secoor OS EVAR!!! The report compares the number of bugs disclosed in the first 6 months of the OS' existence which remained unfixed after 90 days. It seems to me that a more telling metric for security would be the longer term trend of bugs di
    • What I would like to know is what the guy actually said. The article starts by saying that half the BUGS were fixed and then starts talking about half of the vulnerabilities and then uses the two words interchangeably.

      Did the guy say half the bugs or half the vulnerabilities? Half the vulnerabilities seems bad to me. Half the known bugs is not bad at all- in fact I would consider that somewhere around par for software development.

      Either way I agree it sounds bad.
    • Re: (Score:2, Informative)

      by nusuth (520833)
      Then again Vista isn't exactly good PR for Microsoft.

      I recently bought a notebook with Vista Home Premium preloaded. Due to all negative things I've heard about Vista, I was prepared to downgrade. I was determined not to waste my time fixing a broken OS just because I could. However I was pleasantly surprised. It is, of course, nothing like what was promised a few years ago but it is an improvement over XP. The only problem I've had (about networking with XP) took five minutes to solve. It has also been ro

  • Wrong title (Score:5, Informative)

    by trifish (826353) on Friday June 22, 2007 @10:12AM (#19607779)
    First, the author of the submission doesn't know the difference between a bug and a vulnerability. Second, the title ought to read: "Vista Vulnerabilies are Less Serious than in XP" (and there are fewer vulnerabilities in Vista than in XP in total).

    That's the reason why only half of them were fixed while in XP most of them.
    • Absolutely. Congrats should go out to MSFT that their new OS is more secure than their previous OS.

      Of course, this being /., people will gripe that the default installation has any security flaws at all. That being said, most vulnerabilities could be mitigated by user education, anyway.
    • Flawed Logic (Score:4, Interesting)

      by asphaltjesus (978804) on Friday June 22, 2007 @10:46AM (#19608251)
      First sentence is correct. Author didn't distinguish bug/vulernability.

      The second sentence, while double-plus-good Microsoft PR speak, is critically flawed reasoning.

      If the parent said "Known Vista vulnerabilities..." I would agree, but that still glides over many fundamental liabilities that Microsoft products push onto the customer like:
      1. The concept of security in Microsoft products means protect Microsoft's intellectual property.
      2. No one can reasonably predict the scope or scale of Microsoft vulnerabilities.
      3. Given Microsoft's history of producing "secure" operating systems, it is reasonable to assume there is no evidence end-user security features makes it through to the end product. Note carefully, Microsoft has *very* talented programmers who can code securely after all their monopoly status affords them this luxury. I'm saying that their work doesn't make it all the way through the management gauntlet. UAC is a perfect example. It is not a security boundary. http://blogs.zdnet.com/security/?p=175 [zdnet.com]

      The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing. As every other Microsoft OS has shown, there will be critical vulnerability surprises. It's a matter of when, not if.
      • Mod parent up!!! Good point about Microsoft management. In my opinion, Microsoft programmers are not allowed to finish their work.

        My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief.

        The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is n
    • by neoform (551705)
      "and there are fewer vulnerabilities in Vista than in XP in total"

      Vistas been out for a few months; XP has been out for more than half a decade. Obviously there are more known bugs in XP than Vista.
      • by trifish (826353)
        Vistas been out for a few months; XP has been out for more than half a decade. Obviously there are more known bugs in XP than Vista.

        You're obviously good at taking things out of context. If you read TFA (or at least the Slashdot summary), you'll know the context. TFA talks about vulnerabilities discovered in the 6 months after Vista release. You didn't really think I claimed that there were only 36 vulnerabilities discovered in XP in 6 years of its existence?
    • by twitter (104583)

      The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS:

      He published the data in an effort to show how Microsoft's software development methodology, called the Security Development Lifecycle (SDL) is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.

      "This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration

      • by dedazo (737510)
        The article you read, is it the one that fails to make a distinction between a bug and a vulnerability? Because that's the one I read. Oh, wait. We're in the Spin Zone. Sorry. Um, "M$ Windoze suxxorz LOLOLZ LINUX ROXXORZ!!!one!!!1!" There, that sounds about right. Facts and reality are so annoying and distracting anyway. Who needs them.
    • by Jugalator (259273)
      Exactly -- the first thing that popped into my head when seeing this was "but how SERIOUS are they then? are we talking of stuff requiring local systm access and a bootable Vista CD, remote attacks, or what exactly?"

      Since the article didn't say outright in the summary, and it would have used the first opportunity to do so if they were serious (because this is Slashdot), I just assumed they were as little problematic in possible exploits as the currently unpatched minor security problems in multiple Linux ke
  • Rubbish. (Score:4, Funny)

    by onion2k (203094) on Friday June 22, 2007 @10:13AM (#19607787) Homepage
    I've got two older brothers, I don't think that makes me stupid. ;)
  • Simple Explanation (Score:4, Insightful)

    by Aqua_boy17 (962670) on Friday June 22, 2007 @10:13AM (#19607793)
    From TFA:

    "it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers."
    I for one am glad Microsoft releases fixes for XP problems in a more timely fashion than Vista. I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?
    • for one am glad Microsoft releases fixes for XP problems in a more timely fashion than Vista. I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?

      The story is, Vista now is more widely used than OS X and many *nix distributions, and with comparison to them, it is significantly ahead of all of them in terms of security. This is no longer about Vista vs XP or based on installations with Vista vs XP.

      So one example coming from this report is now
  • Big deal... (Score:3, Funny)

    by Kainaw (676073) on Friday June 22, 2007 @10:13AM (#19607801) Homepage Journal
    Big deal. The VA has been trying fix VistA [wikipedia.org] since 1985.
  • In Other Words (Score:5, Insightful)

    by camperdave (969942) on Friday June 22, 2007 @10:14AM (#19607813) Journal
    Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP,"

    So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?
    • by niceone (992278) *
      Whatever happened to fixing it because it was broken?

      The saying is: If it ain't broke, don't fix it. If it was the way round you said, the software industry would disappear under an infinite pile of gant charts.
    • Microsoft quickly patched all of the critical vulnerabilities in Vista. Those vulnerabilities that are not rated critical, which comprise 100% of the unpatched vulnerabilities mentioned in the article, are simply not very likely to cause issues for people.

      Microsoft often waits to patch these kinds of vulnerabilities until they've taken care of more important things, like critical bugs, and sometimes chooses to roll them up into a service pack. This allows for more thorough testing and decreases the chance t
      • by lseltzer (311306)
        I think the delay is more likely attributable to them putting less-severe bug fixes on a longer and more rigorous test cycle.
  • by Anonymous Coward on Friday June 22, 2007 @10:17AM (#19607849)
    So naturally his IQ is 3 points lower than his older brother XP.

    Apparently the developers of Vista are following that trend too!
  • by monk.e.boy (1077985) on Friday June 22, 2007 @10:17AM (#19607851) Homepage

    I know our hobby is slagging of microsoft, but hey, copying Linux seems to be working out for them.

    Oh, damn. My carefully crafted, pro microsoft reply, slipped into the usual M$ bashing. They are such an easy target. I can't help my self. Just like women drivers. I don't mean to joke at their expense, but sometimes the jokes, they slip out. I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'

    An oldie but a goldie. Feel free to use that one.

    monk.e.boy

    • I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'

      An oldie but a goldie. Feel free to use that one.
      A slashdot user with a girlfriend? That is a good joke.
  • by erroneus (253617) on Friday June 22, 2007 @10:18AM (#19607863) Homepage
    The simple fact is, there are still more XP loaded systems than Vista. Vista isn't yet a target except in areas where XP and Vista share the same flaw. ...I kinda hope it stays like that for a while too.
  • Talk about spin (Score:2, Insightful)

    by Anonymous Coward
    http://www.engadget.com/2007/06/22/report-vista-mo re-secure-than-os-x-and-linux/ [engadget.com]
    An article on engadget that is pointing to the EXACT same data...yet the title there most certainly provides a seriously different outlook does it not? I do not blame anyone, however, as if I had seen an ACTUAL nuetral title along the lines of 'microsoft employee posts dubious data of questionable usefulness to anyone except PR departments' I would without doubt have just scrolled on...
    • by GrayCalx (597428)
      I do not blame anyone...

      Wait wait wait... you mean you're not blaming Microsoft or the Government?!? What kind of slashdot poster are you?
  • They have made the underlying security model so damned complex that it takes 6 months to figure out how to patch a bug/whole.
  • Those 27 disclosed vulnerabilities cover some or all of the 237 patents that Microsoft has. Dont you dare fix any of them with a third party tool. You will be violating the patent rights of MSFT!
  • I wonder exactly what the data would be like if you compared vulnerabilities in 3rd-party software AND Microsoft issues vs. security problems in Linux distributions?
  • About their patch time being 29 days to OSX's 46 and hundreds for linux?

  • Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.

    Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.

    Microsoft's gaming the system here. Statements like this should be granted no credibility.
  • There is no mention of 27 disclosed vulnerabilities in the report or on secunia.
    Did someone make up the numbers so that it can be posted on Slashdot? ;)




  • by fahrbot-bot (874524) on Friday June 22, 2007 @11:32AM (#19608973)
    My guess is that it may be harder to fix things in Vista without breaking something else (like DRM functions) ...
  • I find it fascinating that Engadget's headline on this very same story is:
    Report: Vista more secure than OS X and Linux [engadget.com]

    Way to spin, slashdot!!

  • If they continue to produce 'new' operating systems every 5 years with only a 25% better bug/vulnerability rate, just how long will it be before Bill Gates' statement of Windows Vista being "the most secure OS available" will actually become a publicly accepted true? I had to state it as "publicly accepted truth" since Microsofts version of the law, contracts, and truth are very different from what the general population understands and accepts as such.

    Too bad the severities weren't listed but then again, w
  • Wow. There's a statistic in that article that really leaves an impression, and no, it's not 36/39 vs 12/27; it's 23 vs 1 - the number of severe security holes in XP and Vista found in the first six months. That brings up a few questions, like whether these metrics are the same (one person brought up the question of secret, unannounced fixes, another the issue of the number of people looking for problems). But if these numbers are comparable (heck, even if the Vista number is 3 or 4 times lower than is reali
  • Neither /. nor the original article seem to understand that not all bugs are security vulnerabilities. Is it the case that more than half the known BUGS in Vista are unpatched, or less than half the known SECURITY BUGS are unpatched?

    Potentially huge difference.

Real Users find the one combination of bizarre input values that shuts down the system for days.

Working...