Correcting the Rhetoric: Windows Vista Is Secure

Windows Vista has come under fire for not being as secure as some would like. At the same time, Vista security can be enhanced when IT managers simply force employees to run as users with limited rights. It effectively creates a situation where the employee can only engage in business activities and not perform the kind of actions (such as installing applications) that put data at risk.

Whenever operating system security is discussed, it seems Windows takes the brunt of the criticism.  Critics (and even some supporters) say the operating system is insecure. They claim it causes the enterprise issues that reduce its ability to ensure mission critical data is being kept out of the hands of malicious individuals.

There's no debating that Windows isn't as secure as it could be. But then again, the only operating system that doesn't need to be more secure is one that isn't prone to any vulnerabilities. That operating system doesn't exist.

But just how insecure is Windows? If you believe the Microsoft haters, Windows (and especially Vista) is exceedingly insecure. It's a nightmare.

Here's the reality: it's not. Can Vista be more secure? Of course.  But you know what? So can Linux and Mac OS X. And as long as a company has Windows Vista installed, it won't need to worry about security as much as the detractors claim.

Windows Vista is just fine for the business world.

Security reports

When it comes time to evaluate just how secure Windows really is, it's best to start with the security documents that provide (hopefully) objective data about the state of security in the Windows ecosystem. If Microsoft and security experts can be believed, Vista is doing better than the most ardent Microsoft haters want to admit.

According to Microsoft in its latest Security Intelligence Report, which covered the last half of 2008, Vista has performed relatively well. During the period, the IT industry was affected by fewer vulnerabilities. Microsoft claims the total number of vulnerabilities during the period decreased by 3 percent compared to the first half of 2008. Vulnerabilities declined by 12 percent compared to 2007. The total number of High Severity vulnerabilities was down 16 percent from 2007.

Buried in the Security Intelligence Report was an interesting fact that most IT managers would probably like to know: "more than 90 percent of vulnerabilities disclosed affected applications or browsers." Just 8.8 percent of all vulnerabilities affected operating systems, 4.5 percent affected browsers, and 86.7 percent affected applications. In other words, it wasn't necessarily Vista that was the problem.

But since Microsoft has a vested interest in making itself look good, it's difficult to believe everything it reports. But when a trusted security source, PC Tools, reported recently that Vista is more secure than any other Windows operating system on the market, it should have put the industry on notice.

According to the security firm, PC Tools counted 639 unique threats, malicious code that penetrated security software in the OS, over a six-month period for every 1,000 machines running Vista. XP suffered from 1,021 unique threats per 1,000 machines in the same period.

Late last year, Alexander Sotirov, a security expert at VMware, wrote that Vista is vulnerable to an attack, such as the ANI cursor vulnerability, that the victim has been duped into running on their computer. The operating system has memory protection features that make it more difficult for malicious hackers to run that code on Vista computers, but it's still not perfect. At first glance, that might seem like an indictment of Vista. But Sotirov said in an interview with ZDNet's Ed Bott that "in XP, a lot of those protections we're bypassing don't even exist. XP is even less secure than Vista in this respect...Vista is still very good [emphasis added] at preventing vulnerabilities."

But it goes beyond studies.

Next: Features and Naivete >>