The CNET Lounge forum

General discussion

BOL 646: Fewer First Year Vulnerabilities in Vista

by commorancy / January 24, 2008 10:44 AM PST

Well, yeah.. how many NEW operating systems are released every year? I don't even consider Vista to be 'new'. It's an updated rehash of XP. So, this statement is a complete misnomer. You need to count all of the XP vulnerabilities that also impact Vista. But, let's ignore this for a few..

Just strictly considering Vista as a 'new' operating system (ahem), how many people adopted it in the first month, six months or 1 year mark? Then, you'll realize exactly WHY it has fewer 'first year' vulnerabilities than any other 'modern' operating system. As far as I know, no other operating system considers a new x.0 release as a 'first year' release in the same way as Microsoft. But, comparing apples to apples, then you should consider the initial release of Fedora 8 and MacOS Leopard in the 'first year' category. As far as I know, Leopard and Fedora 8 should have less vulnerabilities than Microsoft.

Alternatively, this says one other thing about Microsoft. If it is, in fact, true that Microsoft has fewer 'first year' documented vulnerabilities than Linux and MacOS Leopard, that could mean that Microsoft is not doing enough to FIND these vulnerabilities where Linux and Apple developers are taking a proactive approach. Then, they fix these issues long before they turn into a vulnerability. So, this statement by Microsoft doesn't necessarily mean good things about Vista.

Further, what does the latter say about Vista, Microsoft and security? Not committed? Not proactive? Don't care about security? I would tend to believe that the Linux and Apple developers are more proactive and committed with regards to finding underlying OS vulnerabilities than Microsoft. This has certainly been true in the past and I continue to believe Microsoft doesn't actively search for bugs until someone ELSE finds them. Only then do they document and fix them. By then, someone has already written an exploit and has likely actively released a worm/trojan/virus to take advantage of it.

I'd take that Microsoft statement with a grain of salt.

--
Brian W.

Discussion is locked
You are posting a reply to: BOL 646: Fewer First Year Vulnerabilities in Vista
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: BOL 646: Fewer First Year Vulnerabilities in Vista
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
One more comment
by commorancy / January 24, 2008 10:47 AM PST

Oh, and I forgot to mention.. what about 'second year' or 'third year' vulnerabilities? By this time, the OS has begun taking hold and I'm quite sure that by this time, that MS OS far exceeds vulnerability numbers in any other OS available.

--
Brian W.

Collapse -
MS is known for....
by mementh / January 25, 2008 10:34 AM PST
In reply to: One more comment

MS is known for having bug fixes and not releasing them till its critical.. remember the Animated cursor bug?


Only time will tell if Vista is more secure... (loosly quoted from Steve Gibson on Security now)

Collapse -
GRC.com
by n74jw / January 25, 2008 10:41 AM PST
In reply to: MS is known for....

I like the security now podcasts, they are very entertaining. Steve just starting using Windows XP from 2000. If he was a true security nut why does he use Windows at all? I would not count his opinion as the only one. Do your own homework...

In my experience, Vista is a bit more secure than any of it's predecessors.

Collapse -
Boy who cried wolf
by commorancy / January 25, 2008 11:18 AM PST
In reply to: GRC.com

Vista is only a bit more secure because of the constant pestering questions that ask "Are you sure?", "Are you really sure?", "Are you really sincerely and completely secure in your decision that this is the right move?"

I mean, give me a break. Pestering users over and over may get the point across that what they're doing could be insecure and *might* make users think twice. After all, the weakest point in an operating system is typically the user. The OS plays its part, but only after the user has done something to set it off in most cases. Yes, there are external vulnerabilities that take no user interaction, but most of these have been fixed by the firewall. So, most vulnerabilities are because the user has opened or installed an infected application.

Hammering users over and over again with "Are you really really really sure?" type questions, really doesn't make the OS more secure. Eventually, users will either figure out a way to disable them or ignore them simply by clicking yes all the time.

Everyone remember "The Boy Who Cried Wolf"? That's exactly what this is in computer terms. Eventually, people won't care if the question is valid or not, they just want it out of the way so they can get work done. So how exactly does this make Vista more secure? The internals of Vista are likely no more secure than any other OS. Microsoft just wants us to think it is.

Right now Vista is reasonably secure because it's obscure (few people use it). Were it to get wide adoption, I'm quite sure lots of vulnerabilities would be uncovered, probably even in the security system itself.

--
Brian W.

Collapse -
Depends on your point of view
by n74jw / January 26, 2008 3:45 AM PST
In reply to: Boy who cried wolf

Yours is one point of view. If you go into any store which sells computers you will see the dozens of Vista PCs available for sale. I am sure not everyone is downgrading to XP. Vista has market penetration and the bad press is mainly from folks who had a hard time with upgrades and whom probably did not do their homework. I did not have much trouble with my Vista upgrades. However, I do not use Windows for my computing tasks and that is mainly because of Windows XP.

Collapse -
Not point of view...
by commorancy / January 26, 2008 9:07 PM PST

"Yours is one point of view. If you go into any store which sells computers you will see the dozens of Vista PCs available for sale."

You have to realize that Microsoft holds the cards. So, Microsoft effectively force vendors to release PCs with Vista. Stores end up with Vista on the shelves because of the manufacturers. So, people end up buying Vista because that's what comes with the PC, not because of choice. Worse, even if you wanted to downgrade, you can't easily. PC Manufacturers don't always make XP drivers for the machines presently running Vista. Thus, downgrading isn't necessarily an option that the consumer has.

"Vista has market penetration and the bad press is mainly from folks who had a hard time with upgrades and whom probably did not do their homework."

As far as market penetration, Vista hasn't and doesn't have much even a year after release. According to Spambutcher (1), they estimate Vista's penetration at 7.5% of the market as of December (that's not much after a year on sale). Simply because some manufacturers have been selling PCs with Vista doesn't mean that people are buying them. Some people are, yes, but probably out of lack of knowledge rather than anything else. A new computer buyer won't know the difference between a PC loaded with XP or one loaded with Vista. But, someone in the know likely won't go out of their way to get Vista unless there's some required/compelling feature they need... so far I don't know of any features like this on Vista.

Consider that businesses have not wholesale jumped into Vista for many reasons. Businesses account for a huge amount of market penetration. The most common business issues being with drivers, compatibility with corporate applications and the expense of it. For Vista, you can't just run out and buy the upgrade disk and upgrade an XP PC. Because of Vista's graphical features (Aero glass), this requires an accelerated graphics card capable of this feature. However, this glossy gamer friendly look does nothing for businesses. Vista is also benchmarked slower than XP on equivalent hardware. So, XP performs better than Vista. Business users want to read email and use corporate applications. Pretty interfaces don't much matter in this equation. So, it's difficult for a corporate IT manager to justify the added expense of upgrading every employee's desktop simply to accommodate Vista simply because of glitzy-but-useless features.

Combine the constant harassment of security requesters and corporate users will be even less productive than now. Security works as long as it doesn't get in the way of working. Once it gets in your face about it, then it will eventually suffer.

There is really no point-of-view involved in the lack of market penetration. People are speaking with their wallets and not buying Vista. This is why Dell and other PC manufacturers are still offering PCs with XP. When XP was released, W2K stopped shipping almost immediately. XP rolled in and corporate users adopted it fairly rapidly. Yes, corporate users did adopt XP with a bit of skepticism in the beginning, but by the end of a year, corporate managers were already deploying it in much larger numbers than where Vista today. As I said, there's not really much in the way of point-of-view here. The penetration numbers don't tend to lie.

--Links:
1. http://www.spambutcher.com/spamstuff/index.php?entry=entry080104-070651

--
Brian W.

Collapse -
where to get a upgrade copy of xp?
by mementh / January 27, 2008 7:24 AM PST
In reply to: Not point of view...

where to get a upgrade copy of xp?
thats what i want? that i can upgrade from a copy of Win 2k (been using a OEM verion of XP for years)
and i want to continute using xp for a few more years.

Collapse -
XP Upgrade
by commorancy / January 27, 2008 1:41 PM PST

The following web retailers appear to have both Home and Professional listed on sale:

PCConnection:
http://tinyurl.com/398r4w
(At PCC Home edition is 'On Order')

Fry's:
http://tinyurl.com/2pmo55

Tiger Direct:
http://tinyurl.com/3a5xyx

Best Buy:
http://tinyurl.com/2rtmbo

Amazon:
http://tinyurl.com/2u3kza

Circuit City:
http://tinyurl.com/2pxrwt
(looks like Circuit City only has the Professional Edition upgrade)

Home Edition is ~$99
Professional is ~$199.

These are full upgrade box editions and will upgrade you from Win2k to XP. You may also be able to get OEM editions at Fry's and Tiger Direct.

Looks like all of the above web stores carry XP upgrades still, with the exception of those retailers who are out of stock. Microsoft may also not be shipping any more copies of it shortly as it is planned on being discontinued.

Good luck finding a copy although it appears that it is readily available everywhere still.

--
Brian W.

Collapse -
i am a year behind
by mementh / January 25, 2008 2:27 PM PST
In reply to: GRC.com

i am a year behind in the podcasts but steve says his main computer is windows 2k because its been vetted as being secure.. and so now is xp.. at least as secure as a unix machine would be.

and other then thats its personal preferance..

he DOES STATE that VISTA seems to have more security options and possabilities then XP.. so please re-listen to them Happy

Collapse -
Well, yeah...
by n74jw / January 26, 2008 4:35 AM PST
In reply to: i am a year behind

Isn't that what I said?

My point is why does Steve use Windows if he is so security conscious? Steve's own answer is because 'that is where the security vulnerabilities are'. I listen to SN every week, although the last few months have been really tough with the PayPal stuff, the geeky sci-fi items, and the endless self-promotion. It is a free podcast, so I am not complaining. When it becomes unbearable, I just won't listen anymore. There are other, better, security podcasts out there...

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

GREAT SHOWS WITHOUT CABLE

Get live TV over the internet

Say goodbye to cable -- check out the top five live TV streaming services available now.