Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

More Than Half of Known Vista Bugs are Unpatched

Zonk posted more than 7 years ago | from the bugtracker-is-half-empty-attitude dept.

Security 257

MsManhattan writes "Microsoft security executive Jeff Jones has disclosed that in the first six months of Vista's release, the company has patched fewer than half of the operating system's known bugs. Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP in the first six months following its release. Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP," but he did not address the 15 unpatched flaws."

cancel ×

257 comments

Sorry! There are no comments related to the filter you selected.

Why would you ever..... (3, Insightful)

otacon (445694) | more than 7 years ago | (#19607757)

announce something like that? That's not exactly the best PR for Vista. Then again Vista isn't exactly good PR for Microsoft.

Re:Why would you ever..... (0)

Anonymous Coward | more than 7 years ago | (#19607815)

This is only half of a problem because the other half refuse or are forbidden to use it.

Re:Why would you ever..... (5, Insightful)

ThinkFr33ly (902481) | more than 7 years ago | (#19607889)

Well, they didn't.

If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.

Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.

Gotta love it. Slashdot is the GOP of technology news sites.

Re:Why would you ever..... (5, Funny)

morgan_greywolf (835522) | more than 7 years ago | (#19608119)

If you RTFA, you'll see that Vista's unpatched vulnerabilities are not considered "critical" because, thanks to Vista's improved security model, are virtually impossible to exploit.


And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.

Re:Why would you ever..... (4, Insightful)

ThinkFr33ly (902481) | more than 7 years ago | (#19608223)

And I think you'll see that thanks to my new and improved door lock, the fact that I leave my windows unlatched is not a critical security issue.
What a completely nonsensical and inaccurate comparison. Microsoft's Secure Development Lifecycle has almost certainly dramatically improved the quality of their code. This report, plus 3rd party counts of vulnerabilities, support this conclusion.

But no matter how good your code is, things will be missed. That's the point of having things like Address Space Layout Randomization, IE 7 Protected Mode, Session 0 Isolation, and the dozens of other security layers that Microsoft added to Vista.

Furthermore, being rated non-critical can often mean that it requires significant user action (like turning off multiple security features) in order to make a user vulnerable.

What's next, are you going to blame Microsoft when a user smacks their motherboard with a hammer?

The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

Otherwise, keep your silly analogies to yourself.

Re:Why would you ever..... (0, Redundant)

sogoodsofarsowhat (662830) | more than 7 years ago | (#19608539)

You are wrong...seeing as My MACS have never been compromised then i guess your wrong. My windows Vista / XP and 98 systems all sooner or later were compromised, but the MAC's NEVER! I own a good size company and thus have lots of desktops. We are migrating as many as possible to the Macs simply because of security and no stupid EULA restrictions like in the new VISTA licenses. You sir should think before you post.

Re:Why would you ever..... (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19608681)

again...another lamer that thinks they know how to use computers..

yea...go with your MACs...leave the PCs to real users/techs that know how to make them work without all the crap you let infect your systems.

very poor use of the computer is what 99% of the problems of infections come from. if we can just teach you retards once and for all...DON'T OPEN ALL EMAILS THAT COME TO YOU FROM WHO-KNOWS-WHERE and DON'T CONTINUE SURFING ALL THOSE PORN SITES THAT ARE KNOWN FOR THE HACKS THEY PUT OUT and QUIT RUNNING FILES YOU HAVE NO IDEA IF THEY ARE INFECTED OR NOT!

analogy:
"if i have a bitchen new fast sports car, why would i replace that with a piece of proprietary machinery such as a tractor that costs 3-4 times as much, just because somebody came by and popped my tires??!!??...i wouldn't!"

Re:Why would you ever..... (3, Insightful)

ThinkFr33ly (902481) | more than 7 years ago | (#19608701)

You sir should think before you post.
You might want to follow your own advice.

You're committing a logical fallacy in your post. You equate the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

I could write a piece of software that had a 1000 known critical security vulnerabilities, but it might never get hacked. Does that then mean that my software is secure? Of course not.

Factors that contribute to whether or not something gets compromised include the number of vulnerabilities in the code, but it's not limited to just that. Usage is a big factor. In the cause of my buggy piece of software, if I'm the only one who uses it, it's unlikely to be a target.

Similarly, Mac OS X is used by far fewer people than XP. And, as of April, Vista was used by about 50% as many people as use Mac OS X. Change are, Vista is now used by more people than Mac OS X. So a direct comparison is now at least more valid.

Macs have had far more known vulnerabilities than Vista, and even than XP in recent years. That's an objective fact. A fact that can't be changed by how much Steve Jobs coolaid you drink.

Re:Why would you ever..... (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19608867)

"Objective fact" for which you only provide an assertion and not a shred of evidence. Put up or shut-up.

Bottom line: M$ experience sucks. (2, Interesting)

twitter (104583) | more than 7 years ago | (#19608875)

the fact that your Macs have never been compromised (that you know of) to the their actual security. This is an invalid equation.

The fact that only M$ machines get screwed and die along with your work is a good reason to avoid the platform.

Re:Why would you ever..... (3, Insightful)

Enrique1218 (603187) | more than 7 years ago | (#19608919)

OSX has more vulnerabilities than XP or Vista. Where do you get that number? Please publish the links to at least 3 source of said number. I am just curious. This being slashdot and all. I am befuddled how so many haven't mastered citing a reference.

Re:Why would you ever..... (4, Interesting)

bmw (115903) | more than 7 years ago | (#19608849)

The fact of the matter is, that at least so far, Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :) If you have data that suggests otherwise, then provide it.

That's quite a statement. I don't have evidence supporting anything either way but I still have a hard time swallowing that one given my past experiences. More secure than previous Windows systems, perhaps. Most secure OS on the market? That's probably a bit of a stretch. Personally, I would still be far more comfortable with the security of any of the BSDs, Linux, Mac OS X, Solaris, or any other flavor of UNIX. Not to mention more obscure operating systems.

Furthermore, it's extremely difficult to prove such things. Simply looking at the number of vulnerabilities is nowhere near adequate and, given your statement, I think the burden of proof would be on you.

Re:Why would you ever..... (4, Interesting)

TheRaven64 (641858) | more than 7 years ago | (#19609097)

Vista is proving to be the most secure OS on the market. (Aside from perhaps OpenBSD, of course. :)
I believe the most secure OS on the market at the moment is probably OpenVMS. Certain others, like Symbian, seem to do well too. I don't know of many Symbian compromises, in spite of the hundreds of millions of Symbian devices that spend 100% of their time connected to the network. I believe even WinCE has a better security record than Vista to date, so it's not even the most secure Microsoft operating system out there... OpenBSD has had a couple of security holes recently, but probably less than Vista.

It's very difficult to compare the security of OpenBSD to Vista, because of what is included. OpenBSD, for example, doesn't include a web browser in the base system. It includes X11, but not a complete desktop environment. For it to be a fair comparison, you would have to compare OpenBSD + GNOME (for example). On the other hand, OpenBSD includes a number of things that aren't in Vista, such as a compiler, so you might have to throw in Visual Studio. But that's an IDE, so maybe throw Eclipse into the OpenBSD pile...

Re:Why would you ever..... (1)

Zeek40 (1017978) | more than 7 years ago | (#19608513)

I think a more apt comparison would be: "And I think you'll see that thanks to the fact that everything I own is either bolted to the floor or inside a vault, the fact that I leave my windows unlatched is not a critical security issue."

I just love it when you astroturf. (0)

Anonymous Coward | more than 7 years ago | (#19608175)

You are so good at it.

Re:Why would you ever..... (1)

Chris_Mir (679740) | more than 7 years ago | (#19608329)

Slashdot actually managed to spin a highly positive analysis of Vista into something that suggests Vista is not only worse than XP, but Microsoft is somehow going out of its way *not* to fix it.

Yeah, Microsoft would never spin facts around into their own advantage!

virtually impossible to exploit (1)

hAckz0r (989977) | more than 7 years ago | (#19608447)

Glad you set me straight on that one. I guess this means I woun't have to tell my office mate I 0wn3d his system late yesterday then. Didn't happen because that would be virtually impossible now wouldn't it? Must have just been my active imagination watching his reaction to his new Folding@home screensaver a minute ago. EAL4? Yea, right.

Bullshit meter: off the scale (0)

Anonymous Coward | more than 7 years ago | (#19608597)

Care to give some details on what you did? I'm not going to hold my breath!

Re:Bullshit meter: off the scale (1)

hAckz0r (989977) | more than 7 years ago | (#19609085)

Sorry, I can't do that in this forum, and certainly not for an 'Anonymous Coward' with an attitude. My employer has a very strict policy about going through the proper channels when it comes to these things and I kind of like my current job just the way it is. If you what to know the answer then go buy your own copy of IDA Pro and figure it out for yourself. It's really not that hard once you know what you are doing.

Blame the source, which was not hard enough. (1)

twitter (104583) | more than 7 years ago | (#19608659)

No, this is not Slashdot spin. It's a direct report of the original source, Security World:

A Microsoft Corp. security executive released data Thursday showing that, six months after shipping Windows Vista, his company has left more publicly disclosed Vista bugs unpatched than it did with Windows XP.

So that's the journalist's opinion.

You can also note the direct carry over of M$'s laughable position that Vista is doing better than XP. Windoze has never been and never will be a safe and secure place for your data and this shows, even if you accept the M$ numbers. They've wasted all their effort making life suck for the end user with digital restrictions and competitor sabotage instead of addressing fundamental security issues. Vista is more of the same from a company that does not care and lies through it's teeth about it every time. There can't be more than fifty people in the world ready to believe Vista is going to be any better than any other version of Windoze.

Re:Why would you ever..... (1)

Ucklak (755284) | more than 7 years ago | (#19608817)

Don't have to RTFA

Microsoft has fixed only 12 of 27 reported Vista vulnerabilities whereas it patched 36 of 39 known bugs in Windows XP

As most analogies suck, if the OS was akin to a house, the 15 vulnerabilites should be something like:

1. Doorbell light not working
2. Doorknobs dirty and stick sometimes.
3. Windows have bad seals and moisture is visible inside.
4. Garage has unfinished walls
5. Backyard is not landscaped
6. House needs to be painted
7. Carpet needs to be replaced
8. House backs to a busy street
9. House is near train tracks
10. Roof will need replacing within 5 years
11. Hot water heater will probably need replacing within 5 years
12. There is a creak on the floor on the second level near the bathroom
13. Refrigerator and dishwasher are not included
14. There are cracked tiles in the kitchen
15. Ceiling fans don't work in 2 rooms

But hey, all the doors and windows lock and the roof doesn't leak. Sounds lovely.

Re:Why would you ever..... (0)

Anonymous Coward | more than 7 years ago | (#19609009)

Now, let's wait for WOW ;)

WOW - Wrath of Weirdoes

Re:Why would you ever..... (1)

Lesrahpem (687242) | more than 7 years ago | (#19609037)

I think the security industry has a pretty skewed idea of "virtually impossible" to exploit. The people who are saying these bugs are impossible to exploit are engineers and PR people, not people who actually have experience exploiting such bugs in the real world.

Re:Why would you ever..... (2, Insightful)

SwordsmanLuke (1083699) | more than 7 years ago | (#19608021)

Actually, they didn't announce anything *like* that. This article has more slant than... well the original *very slanted* report. The report this article is referencing is actually trying to make the point that Vista is (according to Microsoft's metrics) teh most secoor OS EVAR!!! The report compares the number of bugs disclosed in the first 6 months of the OS' existence which remained unfixed after 90 days. It seems to me that a more telling metric for security would be the longer term trend of bugs disclosed vs. patched, but hey, I'm not a security researcher.

If you want to read the actual report, check out the link to the PDF from this page: http://www.vnunet.com/vnunet/news/2192615/microsof t-claims-vista-secure/ [vnunet.com]

Actual quote? (1)

sobachatina (635055) | more than 7 years ago | (#19608051)

What I would like to know is what the guy actually said. The article starts by saying that half the BUGS were fixed and then starts talking about half of the vulnerabilities and then uses the two words interchangeably.

Did the guy say half the bugs or half the vulnerabilities? Half the vulnerabilities seems bad to me. Half the known bugs is not bad at all- in fact I would consider that somewhere around par for software development.

Either way I agree it sounds bad.

Re:Actual quote? (5, Informative)

ThinkFr33ly (902481) | more than 7 years ago | (#19608143)

Then read the actual report: http://www.csoonline.com/pdf/6_Month_Vista_Vuln_Re port.pdf [csoonline.com]

It sounds bad because the person who posted it to Slashdot, and Slashdot's editors, want it to sounds bad. Are you new here or something?

Re:Actual quote? (1)

sobachatina (635055) | more than 7 years ago | (#19608593)

Thanks for the link. That clears things up nicely.

While not exactly 'new here', I try to turn a blind eye to inflammatory contributions by the editors. I like Slashdot a lot and still hope that some day it will grow up and stop trying to make everything sound like a scandal just to get page hits.

Incidentally, in this case, the bad wording is actually from the article.

Re:Why would you ever..... (2, Informative)

nusuth (520833) | more than 7 years ago | (#19608991)

Then again Vista isn't exactly good PR for Microsoft.

I recently bought a notebook with Vista Home Premium preloaded. Due to all negative things I've heard about Vista, I was prepared to downgrade. I was determined not to waste my time fixing a broken OS just because I could. However I was pleasantly surprised. It is, of course, nothing like what was promised a few years ago but it is an improvement over XP. The only problem I've had (about networking with XP) took five minutes to solve. It has also been rock solid so far (with a directx 10 card, despite all horror stories.) I still don't see any reason to upgrade my XP boxes but I also don't see any reason to avoid Vista.

so what ? (0, Troll)

Adolf Hitroll (562418) | more than 7 years ago | (#19607763)

only yanx use that piece of garbage...

Wrong title (5, Informative)

trifish (826353) | more than 7 years ago | (#19607779)

First, the author of the submission doesn't know the difference between a bug and a vulnerability. Second, the title ought to read: "Vista Vulnerabilies are Less Serious than in XP" (and there are fewer vulnerabilities in Vista than in XP in total).

That's the reason why only half of them were fixed while in XP most of them.

Re:Wrong title (0)

Anonymous Coward | more than 7 years ago | (#19607909)

yeah, but that wopuld hurt litlle fuzzy wuzzy leenooks zealots' feelings, aww :( We can't do that to our community, oh no!!

Re:Wrong title (0, Insightful)

Anonymous Coward | more than 7 years ago | (#19607963)

Oh, stuff it.

As the OpenBSD guys say "the difference between a bug and a vulnerability is the intelligence of the attacker".

Re:Wrong title (0)

Anonymous Coward | more than 7 years ago | (#19608081)

I'm sorry, stuffing it is not compatible with my linux. The world is not ready for linux or stuffing things. It's everyone else's fault, but not linux's.

Re:Wrong title (1)

LingNoi (1066278) | more than 7 years ago | (#19608185)

Second, the title ought to read: "Vista Vulnerabilies are Less Serious than in XP"

GNU/Linux vulnerabilities less serious then Vista.

Re:Wrong title (1)

MMC Monster (602931) | more than 7 years ago | (#19608215)

Absolutely. Congrats should go out to MSFT that their new OS is more secure than their previous OS.

Of course, this being /., people will gripe that the default installation has any security flaws at all. That being said, most vulnerabilities could be mitigated by user education, anyway.

Re:Wrong title (0, Troll)

truthsearch (249536) | more than 7 years ago | (#19608345)

Congrats should go out to MSFT that their new OS is more secure than their previous OS.

Yeah, according to Microsoft. Please swallow only with a humongous grain of salt.

For all we know there can be critical vulnerabilities which Microsoft discovered but simply hasn't disclosed.

Flawed Logic (3, Interesting)

asphaltjesus (978804) | more than 7 years ago | (#19608251)

First sentence is correct. Author didn't distinguish bug/vulernability.

The second sentence, while double-plus-good Microsoft PR speak, is critically flawed reasoning.

If the parent said "Known Vista vulnerabilities..." I would agree, but that still glides over many fundamental liabilities that Microsoft products push onto the customer like:
1. The concept of security in Microsoft products means protect Microsoft's intellectual property.
2. No one can reasonably predict the scope or scale of Microsoft vulnerabilities.
3. Given Microsoft's history of producing "secure" operating systems, it is reasonable to assume there is no evidence end-user security features makes it through to the end product. Note carefully, Microsoft has *very* talented programmers who can code securely after all their monopoly status affords them this luxury. I'm saying that their work doesn't make it all the way through the management gauntlet. UAC is a perfect example. It is not a security boundary. http://blogs.zdnet.com/security/?p=175 [zdnet.com]

The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing. As every other Microsoft OS has shown, there will be critical vulnerability surprises. It's a matter of when, not if.

Re:Flawed Logic (1)

ericrost (1049312) | more than 7 years ago | (#19608445)

"The Vista train will pull out of the station eventually because Microsoft's monopoly makes this a sure thing."

Windows ME.. cough.. cough...

Windows ME is not an answer (1)

asphaltjesus (978804) | more than 7 years ago | (#19608613)

One failed product does not damage a monopoly.

Re:Windows ME is not an answer (1)

ericrost (1049312) | more than 7 years ago | (#19609105)

No, but how about a string of them. Cairo, Longhorn... Win 95 was SUPPOSED to be Cairo, but all the features were stripped out before release and we ended up with a dressed up (and admittedly more stable) win 3.1 STILL on top of DOS. Then NT was supposed to be Cairo, but again, didn't make the cut. Then Win XP was supposed to be Cairo, but again, same story. Then they shifted to talk to Longhorn.... you can connect the dots. Microsoft has been selling vaporware to catch up with competitors for 20 years now. Wake up. http://www.roughlydrafted.com/RD/Q4.06/4E2A8848-57 38-45B1-A659-AD7473899D7D.html [roughlydrafted.com]

Re:Wrong title (1)

neoform (551705) | more than 7 years ago | (#19608771)

"and there are fewer vulnerabilities in Vista than in XP in total"

Vistas been out for a few months; XP has been out for more than half a decade. Obviously there are more known bugs in XP than Vista.

Not the article I read. (2, Insightful)

twitter (104583) | more than 7 years ago | (#19608779)

The article I read trashed M$'s sorry analysis and told me to expect more of the same from Vista as we've seen with every other M$ OS:

He published the data in an effort to show how Microsoft's software development methodology, called the Security Development Lifecycle (SDL) is yielding dividends. But his method of comparing Windows to Linux and Mac OS X is problematic, according to some.

"This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. "If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don't actually write the majority of the packages they include," he said via e-mail.

"Alternatively, force Microsoft to include all vulnerabilities in common third-party software," he added. "For example, the thousands of exploitable ActiveX controls that... vendors include with a Windows system."

So, the end user experience is likely to be unchanged, if they can even get Vista to work. As is always the case for a new Windoze release, the drivers are not there. Worse, new digital restrictions schemes make for poor performance even if they do get work. "Trip bits" and other nonsense make Vista a poor performer by design.

Re:Not the article I read. (1)

dedazo (737510) | more than 7 years ago | (#19609163)

The article you read, is it the one that fails to make a distinction between a bug and a vulnerability? Because that's the one I read. Oh, wait. We're in the Spin Zone. Sorry. Um, "M$ Windoze suxxorz LOLOLZ LINUX ROXXORZ!!!one!!!1!" There, that sounds about right. Facts and reality are so annoying and distracting anyway. Who needs them.

Rubbish. (4, Funny)

onion2k (203094) | more than 7 years ago | (#19607787)

I've got two older brothers, I don't think that makes me stupid. ;)

Re:Rubbish. (4, Funny)

chalkyj (927554) | more than 7 years ago | (#19607823)

As demonstrated by your uncanny ability to reply to the correct article [slashdot.org] , right?

Re:Rubbish. (0)

Anonymous Coward | more than 7 years ago | (#19607845)

I've got two older brothers, I don't think that makes me stupid. ;)

Kinda of funny to post THAT on the wrong article, isn't it.

Re:Rubbish. (1, Informative)

onion2k (203094) | more than 7 years ago | (#19607991)

That was the joke. Hence the ;). Slashdot mods didn't get it though.

Re:Rubbish. (1)

MysteriousPreacher (702266) | more than 7 years ago | (#19608373)

I got it - nice joke, it's more interesting than this Fox Newsesque presentation of the article as yet another "OMG, VISTA SUX0RS COMPARED TO XP!!1!" piece.

Re:Rubbish. (1)

suv4x4 (956391) | more than 7 years ago | (#19608399)


>Kinda of funny to post THAT on the wrong article, isn't it.

That was the joke. Hence the ;). Slashdot mods didn't get it though.


We have our first trans-article Slashdot joke. Party tonight :)

Re:Rubbish. (5, Funny)

Aqua_boy17 (962670) | more than 7 years ago | (#19607855)

I've got two older brothers, I don't think that makes me stupid. ;)
It doesn't. Only doing something like posting in the wrong thread would do that.

/chain yanking

Re:Rubbish. (1)

janrinok (846318) | more than 7 years ago | (#19608253)

LOL! Perhaps having 2 older brothers doesn't make one stupid, but it doesn't mean that YOU are not stupid. For example, do you know which thread you are in .....?

Re:Rubbish. (1)

MiniMike (234881) | more than 7 years ago | (#19608595)

I would believe that this is a joke, if it weren't for the many posts in support of Vista that you submitted to the other article...

Simple Explanation (3, Insightful)

Aqua_boy17 (962670) | more than 7 years ago | (#19607793)

From TFA:

"it will be more interesting to look at vulnerability statistics once Vista becomes more popular than XP, and the target of more hackers."
I for one am glad Microsoft releases fixes for XP problems in a more timely fashion than Vista. I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?

Nothing has changed, that's news. (1)

twitter (104583) | more than 7 years ago | (#19608821)

I would expect that when Vista deployments outnumber XP, the situation will reverse itself. So where's the story here?

Even if you buy the demonstrably false "popularity argument" for poor M$ performance, the real story here is that nothing has changed for the user [slashdot.org] .

third (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19607799)

not phirst tho

Big deal... (2, Funny)

Kainaw (676073) | more than 7 years ago | (#19607801)

Big deal. The VA has been trying fix VistA [wikipedia.org] since 1985.

And so... (1)

Lookin4Trouble (1112649) | more than 7 years ago | (#19607805)

This should be news to whom exactly?

Why would anyone bother putting out security patches for an OS that nobody uses yet? Security through obscurity and all of that nonsense.

What I'd really like to know is why critical vulnerabilities in IE7 are thoroughly ignored, even though it's available to install on XP (and yes, hard as it is to believe, people are actually using it _instead_ of Firefox/Safari/Your Favorite Flavor here...)

Re:And so... (1)

BigBadBus (653823) | more than 7 years ago | (#19608419)

Talking of an OS that no-one uses.... These stats are from my website, which has been running since February: Windows - all flavours - 10,307 hits, 90.56% Apple - all flavours - 740 hits, 6.50% Linux/Unix - all flavours - 225 hits, 1.98% or, more specifically: (OS - hits - %) Windows XP 9,155 80.44% Mac OS X 716 6.29% Windows 2000 526 4.62% Windows Vista 389 3.42% Linux 221 1.94% Windows 98 206 1.81% Other/Unknown 99 0.87% Macintosh 24 0.21% Windows NT 21 0.18% Windows ME 7 0.06% WebTV 5 0.04% OS/2 3 0.03% FreeBSD 3 0.03% Windows 95 2 0.02% SonyEricsson Phones 2 0.02% SunOS 1 0.01% Windows 3.1 1 0.01% - Vista had a slow start, but it even took over Linux after a few weeks. How come people don't say "its an OS that no-one uses" when talking about Linux?

Re:And so... (1)

BigBadBus (653823) | more than 7 years ago | (#19608491)

.....and my html line breaks got missed out. Grrr!

Re:And so... (1)

TheRaven64 (641858) | more than 7 years ago | (#19609181)

Interesting numbers. What's your target audience? I'm surprised Mac OS X is so popular (6.29% doesn't sound like much, but it's over the 3-5% I usually see for OS X market share).

Re:And so... (2, Funny)

Doctor Crumb (737936) | more than 7 years ago | (#19608917)

Let's dig up one of the old /. favourites:

"The only reason XP is the target of so many viruses is because it is so widely used! If Vista was as popular as Windows XP, there would be just as many viruses written for those platforms!"

(firmly tongue in cheek, I'm aware that Vista's UAC is still a pale imitation of a real security model).

In Other Words (5, Insightful)

camperdave (969942) | more than 7 years ago | (#19607813)

Jones says that's because "Windows Vista continues to show a trend of fewer total and fewer high-severity vulnerabilities at the six month mark compared to ... Windows XP,"

So, they're not fixing the bugs because Vista is less buggy than XP? Whatever happened to fixing it because it was broken?

Re:In Other Words (1)

niceone (992278) | more than 7 years ago | (#19607995)

Whatever happened to fixing it because it was broken?

The saying is: If it ain't broke, don't fix it. If it was the way round you said, the software industry would disappear under an infinite pile of gant charts.

Re:In Other Words (1)

ThinkFr33ly (902481) | more than 7 years ago | (#19608099)

Microsoft quickly patched all of the critical vulnerabilities in Vista. Those vulnerabilities that are not rated critical, which comprise 100% of the unpatched vulnerabilities mentioned in the article, are simply not very likely to cause issues for people.

Microsoft often waits to patch these kinds of vulnerabilities until they've taken care of more important things, like critical bugs, and sometimes chooses to roll them up into a service pack. This allows for more thorough testing and decreases the chance that the minor fix causes a major regression issue.

Despite what people think, Microsoft doesn't have unlimited resources.

Re:In Other Words (1)

harry666t (1062422) | more than 7 years ago | (#19608219)

<blockquote>Microsoft often waits to patch these kinds of vulnerabilities until they've taken care of more important things, like critical bugs, and sometimes chooses to roll them up into a service pack. This allows for more thorough testing and decreases the chance that the minor fix causes a major regression issue.</blockquote>

Then... I just wonder. Why virtually no linux distro is using things like SPs and still virtually all of them remain much more secure and stable than any Windows version ever was?...

Re:In Other Words (0)

ThinkFr33ly (902481) | more than 7 years ago | (#19608303)

Then... I just wonder. Why virtually no linux distro is using things like SPs and still virtually all of them remain much more secure and stable than any Windows version ever was?...
I wonder what you're basing that conclusion on since the data that is readily apparent seems to suggest otherwise.

Re:In Other Words (0)

Anonymous Coward | more than 7 years ago | (#19608787)

Just curious, what do you do at Microsoft?

Re:In Other Words (1)

Churla (936633) | more than 7 years ago | (#19608589)

Maybe it's because whereas the geekcore like the idea of seeing dozens of small patches/updates to packages come down when they do an apt-get update the general populace likes seeing one package which fixes several bugs.

This is the difference between using Service Packs and using individual patches for individual packages/applications. It's a Monolith versus granular approach.

Because of the scale MS has to work on and support people it's far easier for them to work within the monolithic model.

As for why they choose to fix certain bugs in certain order , it's called prioritization. If they were dumping everything to fix every Vista bug then people would be bashing them for ignoring XP where the majority of their installed base still is. As it is they're handling the biggest fires first, then probably heading to take care of the medium and small sized ones next. In general this whole story is a heaping steaming pile of "meh" to me.

P.S. - If you're trying to earn some kinda Linux windows-bashing geek cred you're gonna need to step up the game a little to impress the judges around here, they're really finicky.

Re:In Other Words (1)

drsmithy (35869) | more than 7 years ago | (#19608987)

This is the difference between using Service Packs and using individual patches for individual packages/applications. It's a Monolith versus granular approach.

You do realise a SP is basically just a bunch of individual patches bundled up together into a single, easily installable entity, right ? Like, say, Red Hat does with their regular repackaging to "RHAS 4 Update 3", etc.

Re:In Other Words (1)

lseltzer (311306) | more than 7 years ago | (#19608499)

I think the delay is more likely attributable to them putting less-severe bug fixes on a longer and more rigorous test cycle.

Vista is the youngest in the series (5, Funny)

Anonymous Coward | more than 7 years ago | (#19607849)

So naturally his IQ is 3 points lower than his older brother XP.

Apparently the developers of Vista are following that trend too!

I know we slag them off... (5, Funny)

monk.e.boy (1077985) | more than 7 years ago | (#19607851)

I know our hobby is slagging of microsoft, but hey, copying Linux seems to be working out for them.

Oh, damn. My carefully crafted, pro microsoft reply, slipped into the usual M$ bashing. They are such an easy target. I can't help my self. Just like women drivers. I don't mean to joke at their expense, but sometimes the jokes, they slip out. I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'

An oldie but a goldie. Feel free to use that one.

monk.e.boy

Re:I know we slag them off... (1)

Bacon Bits (926911) | more than 7 years ago | (#19609199)

I mean, I asked my girlfriend if my indicators were working and she said 'Yes. No. Yes. No.'

An oldie but a goldie. Feel free to use that one.
A slashdot user with a girlfriend? That is a good joke.

Vista flaws are not as critical as XP (2, Insightful)

erroneus (253617) | more than 7 years ago | (#19607863)

The simple fact is, there are still more XP loaded systems than Vista. Vista isn't yet a target except in areas where XP and Vista share the same flaw. ...I kinda hope it stays like that for a while too.

Talk about spin (2, Insightful)

Anonymous Coward | more than 7 years ago | (#19607877)

http://www.engadget.com/2007/06/22/report-vista-mo re-secure-than-os-x-and-linux/ [engadget.com]
An article on engadget that is pointing to the EXACT same data...yet the title there most certainly provides a seriously different outlook does it not? I do not blame anyone, however, as if I had seen an ACTUAL nuetral title along the lines of 'microsoft employee posts dubious data of questionable usefulness to anyone except PR departments' I would without doubt have just scrolled on...

Re:Talk about spin (1)

GrayCalx (597428) | more than 7 years ago | (#19608487)

I do not blame anyone...

Wait wait wait... you mean you're not blaming Microsoft or the Government?!? What kind of slashdot poster are you?

So damned complex (1)

mulvane (692631) | more than 7 years ago | (#19607887)

They have made the underlying security model so damned complex that it takes 6 months to figure out how to patch a bug/whole.

They are not security holes. They are the patents (1, Funny)

140Mandak262Jamuna (970587) | more than 7 years ago | (#19607903)

Those 27 disclosed vulnerabilities cover some or all of the 237 patents that Microsoft has. Dont you dare fix any of them with a third party tool. You will be violating the patent rights of MSFT!

some one will eventually say it.. (0, Troll)

MXPS (1091249) | more than 7 years ago | (#19607921)

so I might as well as say it, use linux.

Interesting (1)

ta bu shi da yu (687699) | more than 7 years ago | (#19607941)

I wonder exactly what the data would be like if you compared vulnerabilities in 3rd-party software AND Microsoft issues vs. security problems in Linux distributions?

Yawn (0)

Anonymous Coward | more than 7 years ago | (#19607971)

Film at 11.

I, For One, Welcome (0)

Anonymous Coward | more than 7 years ago | (#19608047)


Our new Botnet Overlords [microsoft.com] .

Cheers,
Kilgore Trout

More Than Half of Known Vista Bugs are Unpatchable (1)

motumboe (784283) | more than 7 years ago | (#19608077)

oh my!!!

No surprise there (1)

hAckz0r (989977) | more than 7 years ago | (#19608721)

Their GDI privilege escalation (non-bug, non-vulnerability, buried topic, never mentioned anywhere at MS) started with NT 4.0 and was not "patched" until the GDI was rewritten for Vista. It was never "patched" because the design was fundamentally broken and could not be patched in any practical way. All you needed to exploit it was to get some application running at the SYSTEM privilege level to create and display a window and then the system was toast. Vista finally made the GDI just as secure as NT 3.5. Things are improving, No?

Journalism? (0, Troll)

br14n420 (1111329) | more than 7 years ago | (#19608107)

The little girl who got paid to write this article needs to keep doing whatever physical favors she is performing for the publisher to keep her job. Obviously, writing factual articles is not her cup of tea.

Vulnerabilities aren't bugs and bugs don't always get fixed. Note how nothing in her FUD-laden drivel there's nothing about anything actually impacting her. It's all about the things that don't affect her, she doesn't understand, and shouldn't be spewing forth on the internet in paid fashion.

Re:Journalism? (0)

Anonymous Coward | more than 7 years ago | (#19608199)

Vulnerability = bug someone has figured how to exploit to circumvent normal execution privileges

Vista has nothing I need (0)

PorkNutz (730601) | more than 7 years ago | (#19608177)

I have tried Vista. The betas, a friend has a new machine with Vista. I even have a machine that is more than capable of running Vista. I just have no need for it.

It's not that it brings nothing new to the table, it just doesn't bring anything new that I need. The interface is pretty, but that alone is not worth the cost.

XP works for me. It does everything I need it to do, runs all the software I need it to run. Maybe in the future that will change, but seeing as I am only 6 months into my typical 2 year upgrade cycle, I don't see me needing Vista for at least another 18 months. Maybe by then it will have matured a bit and the vulnerabilities will be patched adequately. Then again, maybe XP will support the new tech that I will upgrade to, and I can milk this XP license a while longer

-----
Übergeek Necktie T-Shirt [prostoner.com]
Funny Shirts @ ProStoner.com

Is this the same guy who was bragging... (1)

jpellino (202698) | more than 7 years ago | (#19608201)

About their patch time being 29 days to OSX's 46 and hundreds for linux?

Does this count all the secret fixes? (3, Insightful)

argent (18001) | more than 7 years ago | (#19608203)

Jones argued that Vista had a lower number of vulnerabilities than competitive operating system products such as Red Hat Enterprise Linux and Mac OS X.

Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that. And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.

Microsoft's gaming the system here. Statements like this should be granted no credibility.

Re:Does this count all the secret fixes? (1, Insightful)

ThinkFr33ly (902481) | more than 7 years ago | (#19608403)

Microsoft has acknowledged that they include secret undocumented patches in hotfixes, patches that would count against their "score" if they were required to count them... open source software doesn't have the luxury of hiding their dirty laundry like that.
While I've certainly heard of Microsoft not disclosing the vulnerabilities until their patches are released, I've never heard of them patching things completely in secret. Do you have any citations to back that up?

And it's not just Linux that suffers from that "disadvantage", OS X has an awful lot of open-source components, and many of Apple's updates have been patches rolled in from them.
It's interesting that you attack Microsoft for secrecy but say nothing about Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.

Microsoft's gaming the system here. Statements like this should be granted no credibility.
Well, based on the evidence, the statement is true. Compare the vulnerabilities yourself. Find flaws in their reasoning. Poke holes in their report.

Re:Does this count all the secret fixes? (1)

Goaway (82658) | more than 7 years ago | (#19608809)

Apple, which is famous for its hostile attitude towards people who discover exploits as well as their secrecy about their patches are what they fix.

Famous in Slashdot-land, maybe. In the real world, not so much. Perhaps you should start being a little more critical of what the internet tells you.

So, wait... (1)

kornkid606 (1076023) | more than 7 years ago | (#19608211)

... who exactly is surprised by this? I mean, they could be not addressing the issues because the slow pickup of the OS or maybe due to some other patent issues, but the fact that M$ would push out a bugged OS and then not expediently address the bugs can't possibly surprise anyone. I would assume they just patch enough to keep the user base quiet and then figure "we'll get it right on the next one." Seems that many hardware and software developers have adopted this stance of instead of taking the time to refine and perfect one thing, they push out a bunch of crappier things in the hopes that they get it right on the next iteration. Infuriating!

Vista is marketed as secure, was XP? (1)

BobMcD (601576) | more than 7 years ago | (#19608703)


Hindsight is getting blurry, but I seem to remember the world seeing XP as simply an 'upgrade' to 2000. People expected it to have vulnerabilities, be buggy, etc, but wanted the newness of it.

Vista was _supposed_ to be a total rewrite. A completely new animal, basically immune to XP's flaws.

Patching a ton of vulnerabilities right out of the gate would invalidate a TON of marketing effort.

Seems like not patching them (in public) is a good business decision for them. Not so very ethical, but it _IS_ MicroShaft we're talking about here.

Where is the 12 out of 27 number coming from? (1)

figleaf (672550) | more than 7 years ago | (#19608773)

There is no mention of 27 disclosed vulnerabilities in the report or on secunia.
Did someone make up the numbers so that it can be posted on Slashdot? ;)




Two steps forward, one step back. (2, Interesting)

fahrbot-bot (874524) | more than 7 years ago | (#19608973)

My guess is that it may be harder to fix things in Vista without breaking something else (like DRM functions) ...

Interesting quote (1)

edxwelch (600979) | more than 7 years ago | (#19609077)

Jeff Jones was further quoting saying that there was no need to patch vunerabilities in Vista, because "nobody uses it anyway."

Slower adoption = fewer bugs found? (1)

sherriw (794536) | more than 7 years ago | (#19609111)

I was under the impression that Vista sales are really low. And I can hazard a guess that those with Vista are so busy trying to get their old hardware and software to work, that they are unsure whether a bug is a real bug or a run of the mill compatibility problem.

So, I wouldn't be surprised that the number of bugs reported is lower than usual. Wait till the use of Vista grows- then the anti-MS hackers will start really pounding Vista.

Swing and a miss (0)

Anonymous Coward | more than 7 years ago | (#19609151)

I know this is Slashdot and all, but shit, could the title be any more biased? So Vista has some known outstanding non-critical security bugs hanging out there. So what? Microsoft doesn't rush fixes for those kinds of bugs because they are generally difficult to exploit, or require the system to already be exploited. This bugs wait until a service pack, generally, which goes through a much stricter testing regimen than a high priority fix.

This is a GOOD thing. It means that Vista is overall more secure than Windows XP because Microsoft hasn't had to rush critical fixes and can take the time to study and test the less critical fixes.

But shit, this is Slashdot, so, uh, fuck M$ final nail coffin losers going down don't need it, yadda yadda yadda and so forth.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>