Windows Vista One Year Vulnerability Report

re: Windows Vista One Year Vulnerability Report

techboy2000 — Sat, 19 Apr 2008 22:47:29 GMT

Microsoft has a very good handle on security these days and procedurally is more advanced than any other OS supplier (MS's SDL process).

Vista is very safe with:

IE7

Windows defender included in vista

Two-way firewall on by default

UAC (yes this is a Great addition and not annoying.)

Data Execution Prevention

SafeSEH

Function Pointer Obfuscation

ASLR

MS took too long to figure this stuff out but the problem has been addressed and the platform is good.

re: Windows Vista One Year Vulnerability Report

subzerohitman721 — Sat, 19 Apr 2008 01:13:33 GMT

I remember when 2000 came out and we had the games compatability issue. It took awhile at least to SP1 to fix. I also remember when XP first came out and their were many incompatability issue, game issues, and networking issues. Again it really took up to SP2 to get XP where everyone liked it.

I believe since this has been the cycle, the Vista Hate cycle has reached its peak and is slowly starting to slide down. We will reach the "era of Vista" as JamesRayG has stated so elloquently. Just because the idiots at PC Magazine have this anti-Vista campaign and the misconceptions on the street are that its bad, that doesn't always become its permanent label. I remember during the Blaster Worm crisis during the XP era, that people were calling for a new OS. People were saying, migrate over to Apple or Linux. In the end, when the paranoia ended and people started thinking for themselves, they stayed with XP and Microsoft.

Don't be surprised when people migrate to Vista and its well praised for its security. Eventually the issues will be resolved and it will be a rock solid OS for the masses.

re: Windows Vista One Year Vulnerability Report

Flenser — Fri, 18 Apr 2008 23:21:45 GMT

"because a 99.99% uptime allows for only 30 seconds of downtime per year"

No, that's 52½ minutes. Six nines (99.9999%) is 30 seconds, it says so in Joel's essay.

re: Windows Vista One Year Vulnerability Report

lotsamystuff — Fri, 18 Apr 2008 16:34:53 GMT

"I've used Vista for about a year now, and it's given me 99.99% uptime"

That's an interesting comment. Are you really tracking that number, or did you just pull it out of your ***? I'm assuming that you're being hyberbolic, because a 99.99% uptime allows for only 30 seconds of downtime per year. What was happening during your 30 seconds?

For more reading:

www.joelonsoftware.com/.../22.html

re: Windows Vista One Year Vulnerability Report

DRWAM — Fri, 18 Apr 2008 15:10:44 GMT

I will be using Vista only for a while, unprotected expect for the built in firewall. I will do my usual life of web surfing and email, then let you know how it works out for an average user. I have auto update on, but is SP1 an auto update, or do I need to update manually? The Sytem control panel does not show SP1, but I was not sure if it does.

re: Windows Vista One Year Vulnerability Report

Dipsh t Admin — Fri, 18 Apr 2008 12:40:17 GMT

"Stats can mean anything without standardized definable criteria and methodology."

You are absolutely right. In this case, the computer industry has no definable standards like you speak for nearly anything. A lot of this has to do with the ever quick changing nature of the industry that makes it difficult to define truly meaningful metrics.

Once again, I echo Paul's statements that the report very clearly states that this is in fact only one metric, which just happens to be one that is able to be backed up by real stats, and not hearsay and anecdotal evidence.

re: Windows Vista One Year Vulnerability Report

DRWAM — Fri, 18 Apr 2008 12:12:58 GMT

Stats can mean anything without standardized definable criteria and methodology. These do have some meaning as MS and Apple both report the ones that are patched. Note that there are those reportedly not patched as well. It's all that there is given, so you read em and weep. Discovery is a different story. If there is no standardized method and enviroment, then the result can be erroneous.

Also, security can't just be measured by this one criteria, but all manners of 'insecurity must be considered. This would be counting how many burglers break into the front door, and ignore the backdoor and windows. ALso, a better metric would be to count the actual successful security breaches. Although this is also a factor of the number of hackers, total security must have it included. Thus, a dynamic tally will change over the years, as the number of hackers fo a given OS increases or decreases. Like a disease, we just don't look at one organ system as a failing different system could kill too.

re: Windows Vista One Year Vulnerability Report

Flenser — Fri, 18 Apr 2008 11:13:06 GMT

They even admit what I've said above in the report:

"Note that individual metrics can even be mutually exclusive. For example, vendor policy could mandate a single security update per year which would definitely decrease the number of patches to deploy. However, that same policy would almost certainly mean that the exposure time for publicized issues would increase."

I bet if they had charted exposure time instead they would have come off worse.

The report asks "All other things being equal, is it easier to mediate risk on a system that has 10 vulnerabilities in a year or one that has 100 vulnerabilities in a year?" The thing is, all other things are NOT equal, and if exposure time is different then it is the more relevant metric.

re: Windows Vista One Year Vulnerability Report

Flenser — Fri, 18 Apr 2008 11:01:39 GMT

Number of vulnerabilities isn't a good metric. How many days were there known vulnerabilities with no fix would be much more useful.

It's just that it's not in Microsoft's interest to publicise that information because it would make them look bad, and it would be harder to control and spin, and it's not in security companies interests to publicise it because their sales pitch is usually focused on the number of vulnerabilities they can protect you from, which is an easy concept for customers to grasp and marketers to create a message around.

re: Windows Vista One Year Vulnerability Report

Waethorn — Fri, 18 Apr 2008 01:49:47 GMT

"Those I think can be moved to a new PC unlike CAL's that come with a PC."

don't confuse CAL's with licenses. CAL's are client access licenses for PC's to connect to a server domain. they are not licenses for the operating system that's installed on that client workstation. CAL's are completely different and separate.

i believe you are correct though, but I don't deal much in enterprise agreements. I'm pretty sure that transferability in Open License requires SA though. Open Value includes SA, and so is transferability. Open Value is mostly just Open License + SA, but it costs a trivial amount more, and offers more benefits.

Remember that for Open License and Open Value, those licenses are upgrade licenses only though, so you need to have a prior full license in order to qualify. Buying software with the computer via OEM licensing is the cheapest way to buy software, and you can add SA to an OEM license in order to add said transferability, so that's a good way to stay current, and have a good ROI. You would never need to buy a replacement license to upgrade your systems - just keep renewing SA over your technology lifecycles and move those aging OEM licenses to new machines as the need arises. Oh, and SA also includes those free upgrades....not to mention training, deployment tools, IT help, a direct support contract with Microsoft, and home-use licenses too....

"Those companies will continue to use XP for as long as they like, or 2014 when critical update support runs out."

When free support ends, support costs skyrocket though, so it's often in a business's best interest to move to something that is supported for free - in this case, Windows Vista SP1. The support costs of OEM-provided software also goes up when the original vendor (Microsoft, in this case) also moves into extended support lifecycles.

re: Windows Vista One Year Vulnerability Report

DRWAM — Fri, 18 Apr 2008 00:29:52 GMT

I am posting on Vista now. I am getting pop-ups out the wazoo, and I had a difficult time installing Java, so I better learn how to use IE7 I don't think Vista is bad at all, and I an an average user. However, read this headline: Apple's growth rate in terms of Mac shipments in the first quarter outpaced that of the other top five U.S. PC makers, a research firm said Wednesday.

www.informationweek.com/.../showArticle.jhtml;jsessionid=1NNJTWHSCZ1VGQSNDLOSKHSCJUNN2JVN

re: Windows Vista One Year Vulnerability Report

JamesRayG — Thu, 17 Apr 2008 23:35:55 GMT

But as you say, it's all uneducated nonsense, eventually even the dumbest bloggers will release what an improvement Vista is over XP and we will enter an 'era of Vista', with stable and secure computing for the masses. I've used Vista for about a year now, and it's given me 99.99% uptime, no malware though I am a prolific surfer with IE7, and very few program incompatibilities with none in like the last 8 months. Vista needs time to show it's true greatness, then people will love it like XP but better.

re: Windows Vista One Year Vulnerability Report

Snakedoctor1 — Thu, 17 Apr 2008 23:17:59 GMT

"Reports like these and improvements such as SP1 will turn sentiment towards Vista."

Doubtful, very doubtful.

I was in a airport not three weeks ago, in a southern state. It was a Friday, and I was going home after a week on business. Anyhow I am in this little airport bar, having a drink on my work notebook checking email and stuff, in this row against the wall, many business types doing the same. Its packed because many flights in this section are waiting.

Two to three tables over are two people, co-workers from what I could determine, waiting for a flight heading out on some business trip. The one says to the other.."I just got a new Dell notebook a few months ago, and it came with Vista". "I could not stand it, so I paid one of the IT guys at work to put XP back on it".

My point is Joe User from my experience cant stand Vista. The word, un-educated as it might be, has gotten out that Vista = BAD. Joe User does not know what a service pack is, nor cares. The recent surge in Mac sales has got to be partially from Vista hate as I like to call it.

Sadly Vista from a security stand point, is much better than XP. MS needs to get a new OS out the door before they loose alot of home customers. Its getting easier and easier to go non Windows at home with so much moving to a Web browser. iLife and the iPod represent probably 60-70% of what a home user wants to do with a PC, especially with PC gaming fading into the wind.

re: Windows Vista One Year Vulnerability Report

subzerohitman721 — Thu, 17 Apr 2008 21:58:55 GMT

I think this report does speak for itself. Microsoft is making strides and this is not some PR offensive. Many independent studies are verifying that Vista is much more secure and that both OS-X and Linux OSes are lagging behind. Reports like these and improvements such as SP1 will turn sentiment towards Vista.

This is a nice little victory for Microsoft. They can loudly and proudly tout they have at this moment in time, the most secure operating system on the market. The facts speak for themselves.

Finally, the cloud of Vista Haters is being shattered by its own performance and improvements? So the question becomes, do you really want to run out there and download Linux distros? Do you really want to buy Mac's when they have issues with Zero Day and vunerability patching?

re: Windows Vista One Year Vulnerability Report

Snakedoctor1 — Thu, 17 Apr 2008 21:14:21 GMT

Yeah I know the downgrade option was there for a while now from many vendors, Dell, HP, Lenovo...etc.

What I did not know was that is as going to be available after June 30th. If you could see the actual email the first sentence....

"Due to the negative feedback that we received from our customers’ about Windows XP Pro (OEM version) going away after June 30th, 2008 we have decided to continue offering Windows XP Pro on our systems."

Was bold and in yellow highlight, making it look like a change to the policy of not being able to get it all after June 30th.

Companies with select or enterprise agreements dont buy media anyone, just CAL's and load it on PC's. Those I think can be moved to a new PC unlike CAL's that come with a PC. Those companies will continue to use XP for as long as they like, or 2014 when critical update support runs out.