Quick Thought on Windows Vista Security

I just re-read this blog post on Vista security as it was linked from the Vista SP1 RTM announcement and had a thought….

  • Internet Geeks: Linux and mac are so much more secure than windows! Look at how few vulnerabilities there are for them!
  • Microsoft and Friends: Those OSs only have a few percent of the market share, so they aren’t targeted hardly as much, so of course there are less! Our OS is dominant so it’s a much bigger target you silly little linux nerds!

And now with Vista….

  • Microsoft and Friends: Vista is so much more secure than XP! Look at how few vulnerabilities there are for it!
  • Internet Geeks: […]

So should the Linux geeks response to the security in Vista be the same as it was from Microsoft about market share? A lot of the tech news and podcasts I read and listen to note that Vista doesn’t seem to have the market penetration that it should have (a few of the TWiT podcasts have pointed out that the number of Vista users doesn’t match anywhere near what it should compared to the number of new computers produced).

Anyway, just a thought….

3 Comments on “Quick Thought on Windows Vista Security”

  1. (This started as a quick 2 line response and morphed into a 20 minute essay. Sorry šŸ™‚ )
    I bought a new laptop recently. I had no choice but to get Vista with it. I booted it once and used it to download and burn an Ubuntu ISO and then zapped it. The Vista disc went straight into the trash.
    I think the ‘Vista has more market share and is therefore a bigger target’ argument still holds some water, because even if it’s not getting the traction they’d like, it’s going to eventually, so it will be targeted with the same ferocity as previous Windows releases.
    However, I truly believe that the transparency of the OSS world is a better security model. Microsoft has exploits it’s known about for years but hasn’t fixed. That could never happen in the OSS world. I don’t believe the code is inherently any more secure because it’s open (really, who actually spends time auditing someone elses code for security holes?), but the openness enforces a level of responsibility which you simply don’t get from Microsoft.
    Linux also has had built in privilege seperation from the get go, so it’s much harder to attack from user space in the ways that Microsoft’s products are. This isn’t even fixed in Vista, because all that happens is that users get used to clicking ‘ok’ to an annoying dialog every 10 minutes and then eventually disable the functionality. This all adds up to Vista being a far easier target because of it being defective by design[TM].
    I’m not sure where I’m going with this. I’m fairly certain that we’ll never get rid of Windows, and I’m fairly certain we’ll never “solve” the security problem, so at some point, Linux is going to be the target of a high profile attack. I don’t think it has happened yet, but when it does, it will be interesting to see how quickly the issue is contained, because that’s really the biggest concern. Holes are going to be found and exploited in any OS, no matter what you do. At some point, the difference in vulnerability levels will equalize and all that’s left is to see whose model works better.
    My money is on the OSS solution.

  2. nod
    Though as a recent receiver of a macbook pro via work I must say I’m really in love with the mac world again šŸ™‚ However yea, OSS FTW. Regarding the ‘Vista has more market share and is therefore a bigger target’ argument, my point was that it doesn’t have a bigger market share (according to what I’ve read) and therefore isn’t a bigger target and therefore has less security holes… but that minor detail is left out when touting how great it is compared to other OSs. Not sure if I was clear or that I’m just mis-reading what you replied šŸ™‚ I’ll have to re-read what I wrote šŸ™‚
    Thanks for the essay.. nice to know I have at least 2 readers šŸ™‚

  3. My point was, despite the low adoption rate, the argument still holds water because let’s face it, people are going to upgrade eventually. It’s still going to be number one desktop OS, used by the most gullible people (ie, the ones who are going to click emails to malware in their email).
    Part of the other reason could be a knock on effect of that.. People looking for exploits aren’t going to target open source when they know any exploit made public will be shut down in a matter of hours, rather than months, so it’s not worth the effort.
    I guess another way to think about it is.. if the same level of effort was focused on Linux (or other OSS products), would we see the same volume and severity of issues found? My guess is not.. but it’s impossible to say for certain because of the differences in user base size and experience.. Until Joe average is using Linux in large volumes, we won’t know for sure..