Share via


The security X-Factor: Vista security beating linux, XP, and Mac

Technorati Tags: security , threat modeling , vista , linux , mac

What is the X-Factor?  That's the the multiple that tells you how many MORE security vulernerabilites researchers found in other OSes than in Windows Vista, during each OS's first 6 months.  As in, "Novell SLED 10 had 5X more high severity vulnerabilities discovered than Windows Vista during each OS's first 6 months."  

Jeff Jones at CSO (full disclosure: Jeff's also a Microsoft employee) recently released a new report comparing the number and severity level of security vulnerabilities discovered for a range of desktop OS's during the first 6 months each OS was on the market.  In the comparator group: Windows Vista, Windows XP, Mac OS X 10.4, Red Hat's RHEL4WS, Ubuntu's 6.06 LTS, and Novell's SLED10 linux distributions.   Among his findings of high severity vulnerabilities discovered in the first 6 months:

  • XP had about 2X more high serverity vulnerabilities discovered than the first 6 months of Vista.  Considering the much greater attention on security research today, this is a big improvement over Microsoft's last OS.   
  • Red Hat's Enterprise Linux 4 Workstation had about 7X more high severity vulnerabilities than Vista.  This is using a reduced linux load for a more equitable  apples-to-apples comparison (e.g., optional server components and office components, etc, are pulled out).  Otherwise the X-factor would've been closer to 10X.   
  • Ubuntu 6.06 had about 3X more high severity vulnerabilities discovered than Vista with reduced build.  Including all components, Ubuntu had about 5X more vulnerabilities than Vista.
  • MAC OS X 10.4 had about 2X more high severity vulnerabilities than Vista in its first 6 months (just slightly better than XP)

I encourage you to take a look at the report yourself -- there's a lot more to see, including some very pretty charts that show unfixed vulnerabilities, as well as additional info on medium and low severity vulnerabilities.  The good news for Vista users is that Vista comes out ahead on every single measure. 

Jeff attributes Vista's significant vulnerability performance advantage to the Microsoft's Security Develoment Lifecycle (SDL).  Security is a complex and mult-faceted issue, but I believe the SDL has helped Microsoft make great strides on the security front.  Vista is the first and only desktop operating system to ever be developed with the attention to security that the SDL process provides, and early indications are that Vista is the security champ.   

Beth Patton has onbserved that improving OS security is likely to force attackers up the stack, leading to more attacks on applications.  I've got a pointer to secure coding practices in my post here, but you may also want to check out threat modeling.  There's a highly rated book on it here, and very good blog on threat modeling here

Additionally, Microsoft has a free tool here that you can use to help automate your threat modeling activities.  The overview says:

Microsoft Threat Analysis & Modeling tool allows non-security subject matter experts to enter already known information including business requirements and application architecture which is then used to produce a feature-rich threat model. Along with automatically identifying threats, the tool can produce valuable security artifacts such as:

- Data access control matrix
- Component access control matrix
- Subject-object matrix
- Data Flow
- Call Flow
- Trust Flow
- Attack Surface
- Focused reports

Threat modeling is good, important stuff.  If you're not doing threat modeling in your application development, you really should be looking at this very seriously.  Application security is a critical matter of trust between your company and the people who rely on it's systems -- your employees, partners, and customers. 

With Vista deployments growing, life is getting harder for attackers, and apps are likely to continue emerging as a siginficant front in the security war of good folks vs. blackhats.   My advice: fight back. 

UPDATE: I've responded to some of the comments below in this post here .  -John

Comments

  • Anonymous
    July 13, 2007
    The comment has been removed

  • Anonymous
    July 13, 2007
    What is the X-Factor? That's the the multiple that tells you how many MORE security vulernerabilites

  • Anonymous
    July 14, 2007
    Using the term "security" in conjunction with Microsoft OSes is laughable at this point in time. To try and infer that it is in any way superior in this regard to Linux or Unix derivatives such as Mac OS X is a patent falsehood and makes transparent Microsoft's desperation over the shortcomings of Vista, and the resultant failure by the enterprise and the general public to adopt it.

  • Anonymous
    July 14, 2007
    Wouldn't a more significant number be the number of computers taken over by malware without the hacker having physical contact with the computer in the first 6 months? To help you with your research, Mac OS X 10.4 had no infections in it's first 6 months. Mac OS X has never had an infection without physical access to the computer being hacked in the 6 plus years since it's release. Patched vulnerabilities are not exploits. I await Windows and Linux numbers with baited breath.

  • Anonymous
    July 14, 2007
    Hmmm... Do I detect the unpleasant smell of F.U.D. here? It's all in semantics...