Windows Vista Security One Year Later
Hi, Austin Wilson here. Now that Windows Vista has been available to business customers for more than a year, it’s a good time to go back and look at how it’s holding up from a security perspective. I think that it’s fair to say that Windows Vista is proving to be the most secure version of the Windows to date. Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off. Let’s take a look at some areas that we’ve made progress in: the impact of defense-in-depth; Internet Explorer 7’s protection of personal information; vulnerabilities and infections; and cost savings.
First, let’s look at the impact of defense-in-depth features like User Account Control and Internet Explorer Protected Mode. These features have helped reduce both the risk and severity of security bulletins, giving enterprises more time to deploy patches:
• Running as standard user, which is the recommended configuration and made easier in Windows Vista thanks to User Account Control, helps reduce the impact of any particular vulnerability. Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069. This is a great illustration of the importance of User Account Control and why we included it in the product. It’s also the reason I personally run as a standard user on every machine I use.
• Because of IE Protected Mode, theMS07-056bulletin from October ’07 was ratedimportant on Windows Vista and critical on Windows XP. The bulletin rating helps organizations determine the urgency with which they need to deploy the update. Fewer critical updates help organizations maintain regular processes around patch management.
Internet Explorer 7, which is the default browser in Windows Vista, also helps protect the personal information of end users. We’re seeing almost 1 million phishing attempts blocked per week, representing a large number of potential cases of identity theft or credit card fraud that were stopped. In addition, there are over 3500 sites with Extended Validation SSL Certificates (EV SSL) representing an improved level of authentication for securing transactions on these sites. Internet Explorer 7 is the first browser to fully support EV SSL. It turns the address bar green for EV SSL sites and notifies users about the available identity information so they can make better trust decisions when entering sensitive personal information while online.
Next, let’s look at patch events, vulnerabilities and infections. We’re showing steady positive progress in this area. When looking at Windows Vista compared to Windows XP, we’ve seen:
• An important metric for IT professionals is the concept of patch events, which is discussed in the One Year Vulnerability Report released today by Microsoft’s Jeff Jones. During Windows XP’s first year, updates were released on 26 separate days. Through a combination of the move to a predictable monthly release schedule, and decreased vulnerabilities, Windows Vista had updates released on just nine days in its first year. To the average security professional, this is one of the most relevant metrics: how many times did I have to activate my internal patch management process due to vendor update releases over the course of a year? Nine times is much more attractive, and cost effective, than 26 times. Jeff Jones’ one year report goes into this in area in more detail, and the graph below from his report shows the patch events during the first year of Windows Vista and Windows XP:
• Fewer vulnerabilities:Also from the One Year Vulnerability Report, we see that Windows Vista in its first year had significantly fewer fixed and unfixed vulnerabilities than Windows XP in its first year: 36 fixed/30 unfixed for Windows Vista vs. 68 fixed/54 unfixed for Windows XP. The chart below gives you an idea of the progress we’ve made:
• Fewer months with updates: Building on the concept of patch events, since Windows Vista was released, there were three months in which Windows XP had updates and Windows Vista did not (December ’06, January ’07, and November ’07). This means that an organization running all Windows Vista clients would have had three months in which they wouldn’t have had to deploy an OS update to their clients at all.
Fewer infections: From January – June 2007, there were 60% fewer malware infections and 2.8 times less potentially unwanted software on Windows Vista than on Windows XP SP2, according to the Microsoft Security Intelligence Reportfrom 10/07. This illustrates how the defense in depth features built in to Windows Vista help prevent machines from getting infected by malicious and potentially unwanted software.
Finally, what does Windows Vista do to help organizations reduce costs? A recent Microsoft commissioned report from GCR on cost savings for mobile PCs shows $251/machine per year in cost savings for Windows Vista, of which $55/machine per year was attributed to security and data protection features such as User Account Control and BitLocker Drive Encryption.
We’ve said it before, but it bears repeating: our job with security is never finished. But, the focus we put on engineering for security, the backing of the world-class security response process delivered by the Microsoft Security Response Center, and the defense in depth approach of Windows Vista are showing real-world benefits for customers and that’ something I take pride in.
- Austin
Comments
Anonymous
January 23, 2008
A vaguely interesting study which basically shows that MS is taking security more seriously and their product released in 2007 is better than the product they released 5 years ago was back then. No surprises there. What I guess is suggested but not actually proven is that Vista is more secure to deploy right now and I doubt there's much difference. What I would like to see would be a similar comparison between XP SP2 and Vista in the last 12 months. As an IT Manager, on new machines I have the choice to deploy: a) Fully patched Windows XP SP2 b) Fully patched Windows Vista Only an idiot would deploy a non-patched or partially patched version of either. So of more relevance to me is how the two products performed over the last 12 months. Without trawling through the security bulletins, my gut feel suggests there is only a VERY small number of items that affected XP SP2 but not Vista. Cheers RodAnonymous
January 23, 2008
Windows is there with stability and security, now it needs to improve upon PERFORMANCE. Good job getting the other two down, but I want to see some insane leadership in performance.Anonymous
January 23, 2008
Microsoft's Jeff Jones released the 1 year vulnerability report for Windows Vista. This paper analyzesAnonymous
January 23, 2008
It would make sense to compare Vista only to XPSP2.Anonymous
January 23, 2008
No accually it's best to compare Vista RTM to it predecessor based, Windows Server 2003 SP1.Anonymous
January 24, 2008
This all means very little to the guy who got stuck with on a new purchase.Anonymous
January 24, 2008
Sounds pretty much like: we from brand X advise you to use... brand X! :) Let's face it: if Vista had proven to be as easily corruptable as ME, or had contained as many leaks as XP, the designers would not have done a very good job. If they have doen a good job is up for debate, but from a security point of view, appearantly they have. So should they be commended for doing their job? Hmmm. My boss doesn't run into my office every day to tell me what a good job I'm doing, and frankly, I'd shoot him after the third time he'd walk in blowing my horn... :) So why this "claim to fame" for Vista? Guess it's only because the sales of Vista aren't what they were expected to be, and could use a boost...Anonymous
January 24, 2008
The new OS has benefited significantly from its expanded security features and the stronger code base developed via Microsoft's SDL program, the company claims.Anonymous
January 24, 2008
Interesting to see that you need to explain why Vista is so good, but that it doesn't speak for itself. Vista should really be able t sell itself, but i hear hardly any positive remarks, except from people who work at Microsoft. GM's Bob Lutz once saidsomething like this: If the development team constantly needs to tell customers what an outstanding job they did, they fail to deliver the most important thing: the feeling that you really want this product on sight. What most people want is an OS that needs no attention from the user, but manages to amaze you in unexpected things, like being user friendly, fast and stability. It should be faster than its predecessor, further optimized. You people accomplished almost none of the above, so i had no choice but switching to something else.Anonymous
January 24, 2008
http://www.informationweek.com/news/showArticle.jhtml?articleID=205917444&subSection=NewsA new reportAnonymous
January 24, 2008
It's great that they are finally taking security seriously. But who cares if the product doesn't function well or is difficult to use or isn't compatible with much of the common software users want? I mean, what good is security on a bloated product that doesn't allow users to do the simple things they need and want to do? Missed the point again Microsoft. Many of us in the technology profession are rolling back to XP Service Pack 3 when it comes out. Be greatful we don't ditch Microsoft all together for the better options out there (MAC OS, Unbuntu, etc.)Anonymous
January 24, 2008
On January 23, Jeff Jones, Director of Security at Microsoft, published his "One Year VulnerabilityAnonymous
January 24, 2008
The comment has been removedAnonymous
January 25, 2008
Ok............ One: this means what when i build a computer for it ill need at least 4GB ram to even run some what fast? and what is up with the 10+ times more HD needed then XP? Two: HACKERS, they are now getting involved with Vista. They wont touch nothing less then 15% of the over all market (my guess) so MS get ready. Hopefully a very big disappointment and every one goes back to XP as i SHALE NOT BUY A COPY OF VISTA EVER. Not even when SP1 comes out -.- Three: I would buy a MAC before i ever buy vista and MACs have like the most critical errors then windows does a month..... Get the point?Anonymous
January 25, 2008
The comment has been removedAnonymous
January 25, 2008
The comment has been removedAnonymous
January 25, 2008
That Windows Vista van Microsof is safe is not true. Linux is much safer and its free.Anonymous
January 25, 2008
Anyone who moans and groans about Vista and claims they can get the benefits of an MS based OS for free is a "fools fool". Take a look at what Microsoft offers as a whole for the developer that no other single company comes remotely close to. The ability to develop and deploy powerful applications for the vast majority of customers worldwide using development tools that can be downloaded for free and to develop extremely powerful web based applications leveraging free MS technologies like, .Net 2.0, .Net 3.0 WCF/WPF/WWF and now .Net 3.5. I dont believe MS should be congratulated as they are only delivering what has been paid for by their customers in the first instance.Anonymous
January 28, 2008
The comment has been removedAnonymous
February 04, 2008
A flurry of emails this afternoon confirms that Windows Vista Service Pack 1 has been released (or atAnonymous
February 04, 2008
The comment has been removedAnonymous
February 05, 2008
The comment has been removedAnonymous
February 06, 2008
The comment has been removedAnonymous
February 08, 2008
The comment has been removedAnonymous
February 13, 2008
I have no trubbles with the system Windows Vista. Don van OutheusdenAnonymous
February 17, 2008
The comment has been removedAnonymous
February 17, 2008
The comment has been removedAnonymous
February 18, 2008
Good Job to Microsoft on security in Vista, I use Vista daily and find it trouble free, it's fast, programs/games work, it's stable and I have never had a security issue in 8 months of use. For some reason, people tend to posts when they have problems not when everything works, I guess they are too busy working/playing games. And to the people who complained about memory usage, it's called 'caching' aka superfetch, it's supposed to use your memory, so things load faster. Also, 4GBs of ram cost about as much as 512MB of Ram did when XP was released, so don't know what you are complaining about.Anonymous
February 19, 2008
The comment has been removedAnonymous
February 19, 2008
Thanks very much for your reply DiamondGeo, but the 'Cleanse Uninstaller' isnt reporting any bits of antivira left on my laptop. Sorry but ive no idea how to do it manually, and i dont know what regedit means. I dont know much about computers, hence me downloading antivira in the first place i guess! Any other ideas? Thanks again for your help GillianAnonymous
March 04, 2008
I enjoyed the above reading. Ive been trying 2 find out about the SP1 for Vista. I hear it's been recalled do 2 alot of people having issues with it once they install SP1. It seems their PC's keep re-booting. Can you tell me if my info. is correct about SP1, has it been recalled and/or R people having problems since they downloaded SP1. Also where can I go 2 to see the differance in Vista Ultimate and Rremium. I am running Vista Premium but was thing of up-grading to Ultimate, but I want 2 see the benifits in Ultimate first. Well thank U again the info. above. It was very interesting. GeneAnonymous
March 04, 2008
The comment has been removedAnonymous
March 16, 2008
老人ホーム、<a href="http://www.joy-es.com/">不動産担保ローン</a>シニア住宅などの日本最大級の情報を誇る検索サイト。<a href="http://www.oasisnavi.com/">老人ホーム</a>検索サイト「オアシスナビ」はあなたに最適な老人ホームやシニア住宅探しをお手伝いいたします。Anonymous
May 14, 2008
The biggest problem Vista faces is the same one that the Zune faces: It doesn't matter how good it is, people will still be against it because it's Microsoft. Microsoft have done a brilliant job in the past 18 years in destroying consumer confidence and creating an image of themselves of an evil corporate empire. It doesn't help that if you followed the Anti-Trust case that Microsoft essentially DID act like an evil corporate empire during that trial, either. Reading many people's comments here, it's clear they skim read the article and came to the same old conclusion: Vista = MS = BAD! Regardless, I hope it's not too demoralising for the hard-working technicians at MS. Vista is definitely an improvement over XP in terms of stability and reliability. I hope that SP1 improves some of the performance issues, too.Anonymous
May 15, 2008
The comment has been removedAnonymous
June 04, 2008
Wow, nice post. I didn't realize how much better Vista has gotten, but I still don't like it!Anonymous
June 20, 2008
The comment has been removedAnonymous
June 20, 2008
The comment has been removedAnonymous
August 09, 2008
Please address the BlackHat report asapAnonymous
August 11, 2008
Vista Wallpapers.. http://www.vista-wallpaper.org http://www.windows-vista-wallpapers.comAnonymous
September 04, 2008
The comment has been removedAnonymous
October 03, 2008
<a href='http://melodyfulford.isuisse.com/mlb-players-contract.html'>mlb players contract</a> <a href="http://melodyfulford.isuisse.com/mlb-players-contract.html">2006 contract mlb player</a> [link=http://melodyfulford.isuisse.com/mlb-players-contract.html]mlb players contract[/link]Anonymous
October 05, 2008
<a href='http://lizziesilverber.iespana.es/comment-970.htm'>electrical entertainment licence testing</a> <a href="http://lizziesilverber.iespana.es/comment-970.htm">electrical entertainment licence testing</a> [link=http://lizziesilverber.iespana.es/comment-970.htm]electrical entertainment licence testing[/link]Anonymous
October 07, 2008
local movie theater [URL=http://carlineblack.rihost.us/comment-677.htm]local movie showtimes[/URL] [url=http://carlineblack.rihost.us/comment-677.htm]local movie theater listing[/url] [url]http://carlineblack.rihost.us/comment-677.htm[/url]