Security Strategy Director in Microsoft's Trustworthy Computing group Jeff Jones, on Thursday published a report claiming that in the first six months of the Vista life cycle fewer serious security vulnerabilities have been found in Microsoft’s newest OS, compared not only to Windows XP, but also all major enterprise Linux distributions and Apple's MacOS X.
According to Jones, Microsoft has patched 12 out of 27 disclosed Vista vulnerabilities in the first six months since its public release. In comparison, Microsoft's security team patched 36 out of 39 known bugs for Windows XP in its first six months, while Ubuntu 6.06 LTS and Apple’s Mac OS X had 63 out of 74 and 60 out of 76 bugs fixed respectively also in their first six months. The report cites other popular Linux distros as well.
Of course, you should know better than blindly believe Microsoft’s claims regarding its OS security. According to some, this method of counting and comparing vulnerabilities between Windows to Linux and Mac OS X is not the best metric:
"This is an apples-to-oranges comparison," said HD Moore, one of the hackers behind the popular Metasploit penetration testing toolkit. "If you want a more accurate view, try comparing the number of flaws between Microsoft-developed software and vendor-X-developed software. Most Linux vendors don't actually write the majority of the packages they include," he said via e-mail.
"Alternatively, force Microsoft to include all vulnerabilities in common third-party software," he added. "For example, the thousands of exploitable ActiveX controls that... vendors include with a Windows system."
Microsoft might have stepped up its security practices with its software development methodology, called the Security Development Lifecycle (SDL). However, it should be interesting to look at vulnerability statistics again once Vista becomes more widely adopted and the target of hackers worldwide.