More Than Half of Known Vista Bugs are Unpatched 257
MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."
Why would you ever..... (Score:3, Insightful)
Re:Why would you ever..... (Score:5, Insightful)
If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.
Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.
Gotta love it. Slashdot is the GOP of technology news sites.
Re:Why would you ever..... (Score:5, Funny)
And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.
Re:Why would you ever..... (Score:4, Insightful)
But no matter how good your code is, things will be missed. That's the point of having things like Address Space Layout Randomization, IE 7 Protected Mode, Session 0 Isolation, and the dozens of other security layers that Microsoft added to Vista.
Furthermore, being rated non-critical can often mean that it requires significant user action (like turning off multiple security features) in order to make a user vulnerable.
What's next, are you going to blame Microsoft when a user smacks their motherboard with a hammer?
The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course.
Otherwise, keep your silly analogies to yourself.
Re:Why would you ever..... (Score:5, Interesting)
That's quite a statement. I don't have evidence supporting anything either way but I still have a hard time swallowing that one given my past experiences. More secure than previous Windows systems, perhaps. Most secure OS on the market? That's probably a bit of a stretch. Personally, I would still be far more comfortable with the security of any of the BSDs, Linux, Mac OS X, Solaris, or any other flavor of UNIX. Not to mention more obscure operating systems.
Furthermore, it's extremely difficult to prove such things. Simply looking at the number of vulnerabilities is nowhere near adequate and, given your statement, I think the burden of proof would be on you.
Re: (Score:2)
Numbers are out there... Dare I suggest, "Open up and say ahh." ;)
And the "numbers" people like you point to are complete BS. Vista is simple an operating system and a very basic one at that. Yet you compare the number of vulnerabilities in it to the number of vulnerabilities in a full blown linux distro that provides a million times as much functionality. Lets see, Vista, very basic OS functionality, linux distro, very advance OS functionality plus 1000 applications. Yeah, that's a valid comparison. Hell, even the most basic linux or unix setup provides far more functi
Re:Why would you ever..... (Score:5, Interesting)
It's very difficult to compare the security of OpenBSD to Vista, because of what is included. OpenBSD, for example, doesn't include a web browser in the base system. It includes X11, but not a complete desktop environment. For it to be a fair comparison, you would have to compare OpenBSD + GNOME (for example). On the other hand, OpenBSD includes a number of things that aren't in Vista, such as a compiler, so you might have to throw in Visual Studio. But that's an IDE, so maybe throw Eclipse into the OpenBSD pile...
Re: (Score:2)
Are you kidding me? Try switching your phones Bluetooth on and walking around a city for a few days. You'll almost certainly be asked to receive a .sis file - this is a Symbian virus. The most common exploit in Symbian is actually not a buffer overflow from what I understand but a GUI modality exploit ...
Re: (Score:3, Funny)
Re: (Score:2)
Your right, let me fix it. A comparable view would be not locking the doors or the windows because you have an alarm that would sound if they are opened.
'This report, plus 3rd party counts of vulnerabilities'
This report is from the vendor, it doesn't support anything. As for vulnerability counts, despite Microsoft's love of them it has been well established that they provide no meaningful metric of security.
'almost certainly dramatically improved the
Re: (Score:3, Insightful)
You sir should think before you post.
You might want to follow your own advice.
You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.
I could write a piece of software that had a 1000 known critical security vulnerabilities, but it might never get hacked. Does that then mean that my software is secure? Of course not.
Factors that contribute to whether or not something gets compromised include the number of vulne
Re: (Score:2, Insightful)
Bottom line: M$ experience sucks. (Score:2, Interesting)
the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.
The fact that only M$ machines get screwed and die along with your work is a good reason to avoid the platform.
Re: (Score:2)
That, my friend, is a bunch of fucking bullshit.
I have a Dual G5 to my right. It is now running 10.4.10. At least under 10.3.whatever and 10.4.whatever-before-10 (
I also run on Linux and, I have to say, it still has problems resuming from the fucking screensaver if I close the lid. PATHETIC. Sometimes I can fix it by logging in remotely and killing the screensaver process[es]. Sometimes I have
Re: (Score:2)
Do you mean me or the guy before me? Because I actually wrote a whole paragraph about how the OSX machine is crapping on me on a regular basis, and then apparently I lost it somehow. Probably I accidentally selected text and typed over it, but maybe it's a black turtleneck conspiracy. Can't blame it on Apple directly though, because I slashdot from Firefox on Ubuntu.
Re: (Score:2)
You linking to that post is hilarious. You figure no one will notice this reply [slashdot.org] and the subsequent ones in that thread?
Re:Why would you ever..... (Score:4, Insightful)
Re: (Score:2, Informative)
According to Secunia (for 2007):
Vista - 7 advisories, 2 unpatched (unpatched vulns listed as not critical)
OSX - 16 advisories, 3 unpatched (unpatched vulns listed as less critical)
There's too few to have a meaningful comparison of vuln severity levels, but OSX would win on percentages.
For what the original poster actually said "...even more than XP in recent years..."
Here is 2006:
XP - 45 Advisories (36
Re: (Score:2)
Statistics for 2007, directly from Secunia website:
- OSX
Affected By 103 Secunia advisories
Unpatched 5% (5 of 103 Secunia advisories)
- XP
Affected By 186 Secunia advisories
Unpatched 16% (30 of 186 Secunia advisories)
- Vista
Affected By 10 Secunia advisories
Unpatched 20% (2 of 10 Secunia advisories)
Source:
http://secunia.com/product/13223/?task=statistics_ 2007 [secunia.com]
http://secunia.com/product/22/?task=statistics_200 7 [secunia.com]
http://secunia.com/product/96/?task=statistics_200 7 [secunia.com]
Re: (Score:2)
No
Re: (Score:2)
Indeed true. I Installed VISTA in Parallels on my Mac and it is dog slow compared to XP. I got VISTA not so much to use it, but just to learn about it first hand. I actually USE a few Windows programs only in Win2K and XP. Win2K runs the same software MUCH faster than XP. VISTA's activation scheme is a lot more fragile than XP. It has already asked to be activated twice. It did do it though.
You are r
Re: (Score:3, Insightful)
Always that old security by obscurity mantra. Who cares WHY I don't get my Mac house burgled as often as my neighbors Windows house. Maybe my house doesn't have bars on the windows and bank safe doors and locks either. What is nice is that burglars bypass my house and go to the ones down the street. I also don't have to waste money on added security and guard services. The bottom line is that there are NO Mac botnets, whereas there are thou
Re: (Score:2)
Not when you're debating system security. You may as well run Windows 1.0 if you think being in a group so small that no cracker would waste their time on writing a worm for your system actually makes you secure.
Re: (Score:2)
Is that not just great?! It's not just that there are fewer Macs, but also that the vast majority of hackers have lot of experience in how to break into Windows boxes. There are lots of tools around to help them break into those. Hackers are lazy bastards, otherwise they would get honest jobs. Learning all about how Macs work and building hacking tools, in order to break into them is a lot of work. So even if there were
Re: (Score:2)
Re: (Score:2)
Not true. Even if 50% of all computer were Macs, the number of Mac hacks would not rise dramatically. Hackers are lazy, otherwise they'd get real jobs. If you were a hacker, which half of all computers would you rather attack? The easy half you know and have hacking tools for, or the other half for which you have nothing and are inherently harder to crack? There is no reason to assume that a hacked Mac would be more
Re: (Score:3, Interesting)
I dun
Re: (Score:2)
Smart people would care.
The problem with your line of reasoning is that it is self defeating. Let's say I go around telling everybody that Macs are more secure than Windows PCs. This isn't true if you take security in the objective sense - Mac OS X is of the same design era as Windows and Linux, and has lots of vulnerabilities. What's more, Apple don't seem to have any equivalent to the Secure Development Lifecycle ju
Re: (Score:2)
When I started in 1990 in the PC industry, there where Mac viruses plenty. The Mac was even more vulnerable than a PC, due to the auto execution of code when a floppy was inserted. I suppose most Mac viruses went the way of the dodo after the move to OS X, or maybe earlier after the move to the PowerPC platform.
Fallacy (Score:3, Informative)
You might want to follow your own advice.
That goes for you too!
You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.
I don't think this qualifies as an "invalid equation." Maybe if he was trying to say that a Mac is a PC, or that OSX is Vista, that would be an invalid equation.
What you are thinking of sounds much more like the fallacy o
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP
As most analogies suck, if the OS was akin to a house, the 15 vulnerabilites should be something like:
1. Doorbell light not working
2. Doorknobs dirty and stick sometimes.
3. Windows have bad seals and moisture is visible inside.
4. Garage has unfinished walls
5. Backyard is not landscaped
6. House needs to be painted
7. Carpet needs to be replaced
8. House backs to a busy
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
In the first 6 months, Red Hat fixed 119 of the 129 that had been publicly disclosed at release time, but new disclosures during the period meant that 65 issues were widely disclosed, but unpatched at the end of the first 6 months. 12 of the unfixed issues were High severity and 7 were Medium severity according to NVD ratings.
and
During the first 6 months, Ubuntu fixed 145 vulnerabilities affecting Ubuntu 6.06 LTS. 47 of those fixed were rated High severity in the NVD.
Re: (Score:2)
Exactly, because for RedHat and Ubuntu they count the fixes for all applications that come with the OS. For example, Ubuntu released Ubuntu Security Notice USN-467-1 on May 31, 2007: "gimp vulnerability". The numbers for Windows, however, do not include the vulnerabilities in Photoshop.
Re: (Score:2)
Re: (Score:2)
By one source. And yes, this is the same bozo who attempts to claim critical flaws aren't critical at all because there are exploitable and unproven fail-safe security measures that might prevent them from being exploited.
'Slashdot actually managed to spin a highly positive analysis of Vista'
Actually you have it reversed. This was Microsoft's attempt to spin an extremely poor security effort in a positive manner.
'Microsoft is somehow going out of its way *not*
Re:Why would you ever..... (Score:5, Funny)
User: Allow, Allow, Allow (dangit where is the free pron already?)
Vista: The program ~tracker.exe is attempting to change the firewall settings, Cancel or Allow?
User: Change the what? Allow...come on
Vista: The run32.dll has been altered since the last system scan do you wish to proceed? Cancel or Allow?
User: sigh....Allow
Vista: Windows has been updated and must be restarted, Cancel or Allow?
User: hmmmm....don't remember getting updates but updates are good...Allow
Several weeks later....
User: What is going on with all of these popups and free pron offers? Isn't Vista supposed to be more secure?
Support: Did you try rebooting?
User: yes, yes, yes I have already done that.
Support: Well, we can send you a new motherboard w/installation instructions....
User: Thanks, but my bank is on the other line...I am having some trouble with my accounts. Can I call you back?
Support: We are here to serve all of your customer service needs.
User: Uh, yeah whatever, bye.
The moral of this story is that no matter how many times the user is forced to click Allow, I agree, Yes, or Continue in order to shoot themselves the foot they will find a way to do it guaranteed. It may be true that Vista is better than XP is or was out of the box, but they have to assume that even though the user would have to click Allow ten times for some malware to get through that it will happen and not just to a couple of people either. They should at least tell people that they are working on the fixes instead of saying, "well if you are smart you wont get hacked, just don't always click allow."
Re: (Score:2)
Based upon the latest figures from NetCraft.
Over half of the Webservers on the Net today run Apache, and the vast majority are hosted on Linux systems...so Let's be conservativer and say only half of the 53% of the systems running Apache are on Linux, that would give Linux a share, on the low end, of 26.5%. Add into that, lighttpd which runs mostly on Linux, which has 1.2%...so on the low end of the estimate Linux runs at least 27% of the web servers on the Net, and if
Re: (Score:2, Insightful)
Actual quote? (Score:2)
Did the guy say half the bugs or half the vulnerabilities? Half the vulnerabilities seems bad to me. Half the known bugs is not bad at all- in fact I would consider that somewhere around par for software development.
Either way I agree it sounds bad.
Re:Actual quote? (Score:5, Informative)
It sounds bad because the person who posted it to Slashdot, and Slashdot's editors, want it to sounds bad. Are you new here or something?
Re: (Score:2, Informative)
I recently bought a notebook with Vista Home Premium preloaded. Due to all negative things I've heard about Vista, I was prepared to downgrade. I was determined not to waste my time fixing a broken OS just because I could. However I was pleasantly surprised. It is, of course, nothing like what was promised a few years ago but it is an improvement over XP. The only problem I've had (about networking with XP) took five minutes to solve. It has also been ro
Wrong title (Score:5, Informative)
That's the reason why only half of them were fixed while in XP most of them.
Re: (Score:2)
Of course, this being
Flawed Logic (Score:4, Interesting)
The second sentence, while double-plus-good Microsoft PR speak, is critically flawed reasoning.
If the parent said "Known Vista vulnerabilities..." I would agree, but that still glides over many fundamental liabilities that Microsoft products push onto the customer like:
1. The concept of security in Microsoft products means protect Microsoft's intellectual property.
2. No one can reasonably predict the scope or scale of Microsoft vulnerabilities.
3. Given Microsoft's history of producing "secure" operating systems, it is reasonable to assume there is no evidence end-user security features makes it through to the end product. Note carefully, Microsoft has *very* talented programmers who can code securely after all their monopoly status affords them this luxury. I'm saying that their work doesn't make it all the way through the management gauntlet. UAC is a perfect example. It is not a security boundary. http://blogs.zdnet.com/security/?p=175 [zdnet.com]
The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing. As every other Microsoft OS has shown, there will be critical vulnerability surprises. It's a matter of when, not if.
MOD PARENT UP! (Score:2)
My rule number one in dealing with Microsoft: Unless forced by circumstances, never upgrade to a new version of Windows until the second service pack is released. Let other people have the grief.
The huge number of bugs in Windows XP before SP2 was very expensive for us. If I remember correctly, SP2 fixed more than 630 bugs, and some of the fixes were not documented. It is n
Re: (Score:2)
Vistas been out for a few months; XP has been out for more than half a decade. Obviously there are more known bugs in XP than Vista.
Re: (Score:2)
You're obviously good at taking things out of context. If you read TFA (or at least the Slashdot summary), you'll know the context. TFA talks about vulnerabilities discovered in the 6 months after Vista release. You didn't really think I claimed that there were only 36 vulnerabilities discovered in XP in 6 years of its existence?
Not the article I read. (Score:2, Insightful)
The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS:
Re: (Score:2)
Re: (Score:2)
Since the article didn't say outright in the summary, and it would have used the first opportunity to do so if they were serious (because this is Slashdot), I just assumed they were as little problematic in possible exploits as the currently unpatched minor security problems in multiple Linux ke
Re: (Score:2)
Sure, OpenBSD "wins" in such as stupid comparison, but seriously... Is it a big deal...?
Re: (Score:2)
Re: (Score:2)
The difference can be observed on the numbers: There are hundreds of known bugs, but only a few known vulnerabilities in Windows. Claiming that all bugs can be turned into vulnerabilities is
Rubbish. (Score:4, Funny)
Re:Rubbish. (Score:4, Funny)
Re:Rubbish. (Score:5, Funny)
/chain yanking
Re: (Score:2, Informative)
Re: (Score:2)
Re: (Score:2)
>Kinda of funny to post THAT on the wrong article, isn't it.
That was the joke. Hence the
We have our first trans-article Slashdot joke. Party tonight
Simple Explanation (Score:4, Insightful)
Re: (Score:2)
The story is, Vista now is more widely used than OS X and many *nix distributions, and with comparison to them, it is significantly ahead of all of them in terms of security. This is no longer about Vista vs XP or based on installations with Vista vs XP.
So one example coming from this report is now
Big deal... (Score:3, Funny)
In Other Words (Score:5, Insightful)
So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?
Re: (Score:2)
The saying is: If it ain't broke, don't fix it. If it was the way round you said, the software industry would disappear under an infinite pile of gant charts.
Re: (Score:2)
Microsoft often waits to patch these kinds of vulnerabilities until they've taken care of more important things, like critical bugs, and sometimes chooses to roll them up into a service pack. This allows for more thorough testing and decreases the chance t
Re: (Score:2)
Re: (Score:2)
This is the difference between using Service Packs and using individual patches for individual packages/applications. It's a Monolith versus granular approach.
Because of the scale MS has to work on and support people it's far easier for them to work within the monolithic model.
As for why th
Re: (Score:2)
This is the difference between using Service Packs and using individual patches for individual packages/applications. It's a Monolith versus granular approach.
You do realise a SP is basically just a bunch of individual patches bundled up together into a single, easily installable entity, right ? Like, say, Red Hat does with their regular repackaging to "RHAS 4 Update 3", etc.
Re: (Score:2)
RHAS 4 Update 3 == SP for linux.
You can tell if when troubleshooting something you ask them "What SP/Update/Cluster Patch (for solaris) are you on?"
It's in how it's presented and perceived by the end users. Windows end users often don't want to see every little thing and every little fix. They want some big fix which hits on a regular schedule that they can install.
Vista is the youngest in the series (Score:5, Funny)
Apparently the developers of Vista are following that trend too!
I know we slag them off... (Score:5, Funny)
I know our hobby is slagging of microsoft, but hey, copying Linux seems to be working out for them.
Oh, damn. My carefully crafted, pro microsoft reply, slipped into the usual M$ bashing. They are such an easy target. I can't help my self. Just like women drivers. I don't mean to joke at their expense, but sometimes the jokes, they slip out. I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'
An oldie but a goldie. Feel free to use that one.
monk.e.boy
Re: (Score:2)
Vista flaws are not as critical as XP (Score:3, Insightful)
Talk about spin (Score:2, Insightful)
An article on engadget that is pointing to the EXACT same data...yet the title there most certainly provides a seriously different outlook does it not? I do not blame anyone, however, as if I had seen an ACTUAL nuetral title along the lines of 'microsoft employee posts dubious data of questionable usefulness to anyone except PR departments' I would without doubt have just scrolled on...
Re: (Score:2)
Wait wait wait... you mean you're not blaming Microsoft or the Government?!? What kind of slashdot poster are you?
So damned complex (Score:2)
They are not security holes. They are the patents (Score:2, Funny)
Interesting (Score:2)
Is this the same guy who was bragging... (Score:2)
Does this count all the secret fixes? (Score:4, Insightful)
Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.
Microsoft's gaming the system here. Statements like this should be granted no credibility.
Re: (Score:2)
Famous in Slashdot-land, maybe. In the real world, not so much. Perhaps you should start being a little more critical of what the internet tells you.
Re:Does this count all the secret fixes? (Score:5, Interesting)
Skeletins in Microsoft's Patch-day Closet [zdnet.com]
It's interesting that you attack Microsoft for secrecy but say nothing about Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.
You seem to be under a misapprehension here. I'm not defending Apple. I'm simply pointing out that Microsoft has more ability to hide security flaws in their software than any company that uses a significant amount of open-source software, and thus they can artificially reduce their "score" in this game to a far greater extent than either of the other organizations mentioned by Jones. That is, regardless of Apple's motivations and actions, they are simply not capable of hiding patches as effectively as Microsoft.
So:
1. Microsoft has more ability to "game the system" than Red Hat, Apple, or any other organization using a significant amount of open-source software in their product.
2. Microsoft has acknowledged that they are engaged in gaming the system.
I would be happy to discuss Apple's past behavior in an appropriate context. In fact if you google around you'll find that I've been quite critical of Apple when I've felt it warranted. There's plenty of other skeletons in Microsoft's closet if you want to get into a fan war, but you'll have to find someone else for THAT debate... again, google around, you'll find I defend Microsoft when I believe it's warranted. Basically, I'm poorly equipped for the kind of debate that requires uncritical acceptance or dismissal of of one company's position on every subject.
Here and now, Microsoft's figures can not be accepted on face value. Unless Microsoft reveals ALL the details of the vulnerabilities they've corrected they can't be considered comparable to even Apple's figures with their heavy loading of open source software, let alone Red Hat's.
Re: (Score:2)
Is it possible that Microsoft completely conceals bug fixes and never announces them, even after they are fixed? Sure. But there is no evidence of that.
As you said, it's true that it would be harder for open s
Where is the 12 out of 27 number coming from? (Score:2)
Did someone make up the numbers so that it can be posted on Slashdot?
Re: (Score:2)
and the secunia link for Vista : http://secunia.com/product/13223/?task=statistics [secunia.com]
Two steps forward, one step back. (Score:3, Interesting)
Alternate headline:Vista more secure than OSX/Linu (Score:2)
Report: Vista more secure than OS X and Linux [engadget.com]
Way to spin, slashdot!!
only 25% fewer bugs in 1-6 mon? Most secure OS? (Score:2)
Too bad the severities weren't listed but then again, w
Apples and..? (Score:2)
bugs or vulnerabilities? (Score:2)
Potentially huge difference.
Re: (Score:3, Funny)
"The only reason XP is the target of so many viruses is because it is so widely used! If Vista was as popular as Windows XP, there would be just as many viruses written for those platforms!"
(firmly tongue in cheek, I'm aware that Vista's UAC is still a pale imitation of a real security model).
Re: (Score:2)
And sadly it is used more than OS X and most *nix distributions already.
So if we take OS X as an example, with regard to security and patches and vulnerbilities, Vista is more widely used and had far less patches and remains more secure to date.
This is where the Apple people should say, "oh crap..."
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Whereas Linux stops the user from running trojans or doing anything else bad? I don't think so.
Vista has made major improvements in security with things like ASLR and it is harder to exploit