By Lisa Vaas
June 21, 2007
News Analysis: Windows Vista only had 12 vulnerabilities in its first
six months, making Linux distros look buggy by comparison, but analysts
In its first six months, Windows Vista has proven to have far fewer
serious security vulnerabilities than enterprise Linux distributions and
Mac OS X, claims a chief security strategist at the software company.
Jeff Jones, security strategy director in Microsoft's Trustworthy
Computing Group, will tout Vista's track record in a report on June 21,
the six-month anniversary of the operating system's November release.
In the report, which will be released on Jones' blog, Jones compares the
number of vulnerabilities of critical, medium and low severity that have
been discovered in Vista with those found in Windows XP, Red Hat
Enterprise Linux 4 Workstation, Ubuntu 6.06 LTS, Ubuntu 6.06 LTSReduced
Component Set, Novell SUSE Linux Enterprise Desktop 10.8, Novell SLED
10Reduced Component Set and Apple Mac OS X v10.4.
The score, according to Jones: In the first six months of the Vista life
cycle, Microsoft has released four major security bulletins that address
12 total vulnerabilities affecting Windows Vista.
In comparison, the most popular Linux distribution, Red Hat Enterprise
Linux 4 Workstation, was swamped with 129 publicly disclosed bugs in
shipping components, 40 of them "High Severity." During the first six
months, Red Hat fixed a total of 281 vulnerabilities in RHEL4
Workstation. Eighty-six of those fixed were rated "High Severity" by the
NIST (National Institute of Standards and Technology) in the NVD
(National Vulnerability Database).
By Jones' count, Vista seems to be a nigh-impregnable fortress. But
counting vulnerabilities is not the best metric, say analysts and
"I get nervous about counts," said Michael Cherry, an analyst with
Directions on Microsoft. "If we get obsessed about vulnerability counts
we almost put pressure on them to manipulate the count. To not report
things. I wish we had a better metric than counting."
In addition, vulnerability counts are only somewhat objective, Cherry
pointed out. "Let's say you're working on a module of code. You go in to
fix problem A and while you're fixing problem A you find problem B. Do
you count those as two problems or one? I can make a case for it being
counted either way," he said.
Besides, it's hard to base a trend on a six-month security assessment,
Cherry said. Most operating systems have a 10-year life cycle, and so
far Vista has had a very limited deployment.
It could also be that there are more operating system guardians for
Linux distros and Mac OS X, argued Joe Wilcox, editor of Microsoft
Watch. More cops on the beat means that more criminals get caught.
When presented with this scenario, Austin Wilson, director of Windows
Client Security Product Management for Microsoft, based in Redmond,
Wash., disagreed. "I can't speak for Linux distributions; it's a good
question to ask them," he said. "I'm certainly happy to talk about
Microsoft's Jones admitted that many think it's unfair to count the
vulnerabilities for all of the components for the product that Red Hat
ships and supports as Red Hat Enterprise Linux 4 WS. But Jones said he's
prepared with a counterargument. "To accommodate that idea, I will
additionally analyze a reduced set of RHEL4WS components that deliver
functionality comparable to Windows XP and exclude other optional
components," he said.
"Linux distribution vendors add value to their workstation distributions
by including and supporting many applications that don't have a
comparable component on a Microsoft Windows operating system," he
continued. "It is a common objection to any Windows and Linux comparison
that counting the 'optional' applications against the Linux distribution
is unfair, so I've completed an extra level of analysis to exclude
component vulnerabilities that do not have comparable functionality
shipping with a Windows OS.
"You may read 'Red Hat and WindowsDefining an Apples-to-Apples
Workstation Build' for more details, but basically I install an RHEL4WS
computer and I exclude any component that is not installed by default,
which includes all optional "server" components that ship with RHEL4WS.
I additionally exclude text-Internet, graphics (the Gimp stuff) and
office (OpenOffice) and Development Tools (gcc, etc.) installation
groups. I use the rpm command to list out all packages that get
installed and use that package list to filter vulnerabilities."
Jones described the result as a Gnome-Windows workstation that includes
standard system management tools and Firefox for browsing, sound and
video support, but excludes all server packages, as well as OpenOffice
and other optional components that a Windows system wouldn't have by
He compared the security performance of this reduced RHEL4WS build to
Vista's. During the first 6 months, Red Hat fixed 214 vulnerabilities
affecting the reduced RHEL4WS set of components. Sixty-two of those
addressed were of high severity. At the end of the six-month period, a
total of 59 publicly disclosed vulnerabilities in the reduced set of
components did not yet have a patch from Red Hat, 12 of them rated high
"So, though the reduced component set of RHEL4WS did have a better
six-month period than the full product, Red Hat customers did face a
reasonably large number of vulnerabilities in the first six months,"
As far as Ubuntu 6.06 LTS (Long-Term Support) goes, Jones said it had 29
vulnerabilities already publicly disclosed prior to the June 1, 2006
availability date. Seven of the nine high-severity issues were fixed one
week later on June 8. Furthermore, during the first six months, Ubuntu
fixed 145 vulnerabilities affecting Ubuntu 6.06 LTS, 47 of which were
rated high severity in the NVD. At the end of the six-month period,
there were at least 20 publicly disclosed vulnerabilities in Ubuntu 6.06
LTS that did not yet have a patch available from Ubuntu.
A reduced-component build of Ubuntu 6.06 LTS had 74 vulnerabilities in
its first six months, Jones said, 28 of which were deemed high severity.
At the end of the six-month period, a total of 11 publicly disclosed
vulnerabilities in the reduced set of components did not yet have a
patch from Ubuntu, two of which were rated high severity, he said.
Novell's SLED 10 (SUSE Linux Enterprise Desktop 10), released on July
17, 2006, had "at least 23 vulnerabilities" already publicly disclosed
prior to the ship date, and Novell provided fixes for 20 of these in the
first six months, Jones said. Of those, five flaws were high severity.
During the first six months, Novell fixed a total of 159 vulnerabilities
affecting SLED 10, of which 50 were rated high severity in the NVD. At
the end of the six-month period, there were at least 27 publicly
disclosed vulnerabilities in SLED 10 that did not yet have a patch from
Novell, six of them high severity.
For the reduced component build of SLED 10, in its first six months,
according to Jones' count, Novell fixed 123 vulnerabilities affecting
the reduced SLED10 desktop set of components. Forty-four of those
addressed were of high severity. At the end of the six-month period, a
total of 20 publicly disclosed vulnerabilities in the reduced set of
components did not yet have a patch from Novell, six of them rated high
As for Mac OS X, Mac OS X v10.4 had 10 vulnerabilities already publicly
disclosed prior to the April 29, 2005 ship date and Apple provided fixes
for nine of these during the first six months after shipment. Three of
the vulnerabilities were high severity. During the first six months,
Apple fixed a total of 60 vulnerabilities affecting Mac OS X v10.4, of
which 18 were rated high severity in the NVD. At the end of the
six-month period, Mac OS X v10.4 still had 16 publicly disclosed
vulnerabilities that did not yet have a patch available from Apple,
three of them rated high severity.
Jones also compared Vista's performance with the number of
embarrassments Windows XP suffered in its first six months. According to
Jones, when Windows XP shipped, there were already three vulnerabilities
in Internet Explorer that had been disclosed and fixed three weeks
previously. Consequently, new users needed to apply an IE patch
immediately to address those.
Microsoft fixed a total of 36 vulnerabilities (including the three
mentioned above) during the first six months the product was available.
Twenty-three of the vulnerabilities were rated high severity in the NVD.
At the end of the six-month period, three publicly disclosed
vulnerabilities did not yet have a patch available from Microsoft, two
of which (CVE-2002-0189 and CVE-2002-0694) were rated high severity by
NIST. The other was rated low severity.
"So, with respect to its predecessor product, Windows Vista seems to
have a better initial 90 days, with one-third as many vulnerabilities
fixed and with both Windows Vista and Windows XP having only two
high-severity issues outstanding at the end of the six-month period,"
Jones wrote in the report.
The most serious of Vista's unfixed vulnerabilities is that the
operating system implements a Teredo address without user action upon
connection to the Internet. This is a problem Symantec raised in March
about Microsoft's use of the proprietary IP tunneling protocol, used to
transition to IPv6 from IPv4.
The issue with Teredo, according to Symantec's Oliver Friedrichs,
director of emerging technologies for Symantec, based in Cupertino,
Calif., is that many firewalls and intrusion detection systems are not
Teredo-aware. "They're not familiar with the protocol or how to
decapsulate the protocol. That means, for one, when we're talking about
a firewall, Teredo may allow attacks to circumvent or bypass the
firewall," Friedrichs said at the time.
Microsoft is pointing proudly to Vista's security performance,
particularly given that its client is the first to go through its secure
development life-cycle process. That process involves the creation of a
threat model for each new feature, along with vetting by outsider
"From the start, with Windows Vista, we said for any new feature in the
product we're going to first of all start with a threat model," Wilson
said. "Every feature had to have a threat model. When developing you
have to say, What are the things you have to do if a bad guy was going
to exploit [a feature]? Evaluating threat models, that's brand-new in
Microsoft also hired a "significant number" of third-party security
researchers to come onto campus in 2006, Wilson pointed out. They were
given access to source code and told to hammer away at vulnerabilities.
Many of those researchers went on to present findings at the Black Hat
security conference. Also at Black Hat in July 2006, Microsoft gave a
copy of the Vista beta to participants, inviting them to find
"We think the big difference was a hard-core focus on doing the right
thing from an engineering standpoint end-to-end on the product, and
using third-party researchers to look at it," Wilson said.
UAC (User Account Control) is one example of how a feature was changed
in reaction to its threat model. Microsoft painted a scenario where if
the user is running as a standard user and wants to do an administrative
action, he or she will get a prompt to proceed as an administrator.
Early threat models posed the question, What would happen if somebody
spoofed the user into thinking he or she was typing passwords into the
system, but in fact the user was actually giving a third party the
log-in and password?
"We determined that the prompt needed to happen on a secure desktop,
where the code can't run where the user interface is spoofed," Wilson
said. "That's one example of [Microsoft creating] a threat model,
saying, Hey, could somebody spoof that dialogue? The answer was we saw
the potential, so we did a change to the code to make sure that threat
In related news, security blogger Ryan Naraine blogged on June 20 about
Microsoft having silently fixed vulnerabilities in its bulletinswhat he
called "a controversial practice that effectively reduces the number of
publicly documented bug fixes (for those keeping count) and affects
patch management/deployment decisions."
However, Cherry of Directions on Microsoft couldn't get excited about
"I don't understand what the surprise is about. Microsoft is continually
finding things in the code, and they fix them. And so, if nobody's
reported it yet, I don't see the harm in why they have to tell somebody
they're there. And when they get to a service pack, they always have
told us what's in it. [They have] a large list of what fixes are there.
There will always be some that you've never heard a whisper about."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com