One year is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain. Structurally, this report analyzes Windows Vista vulnerabilities and updates in the context of:
- Windows XP, its predecessor product
- Latest desktop products available for a full year from Red Hat, Ubuntu and Apple
I want to give you a peek into the report, so I'll show a few key charts highlighting WIndows Vista relative to its predecessor. To see the results relative to the other industry OS offerings, you'll need to download the full report.
First, here is the chart showing the full set of vulnerabilities (total disclosures and total fixed) for WIndows XP and Windows Vista during the first year of availability after they shipped.
As a new view on the first year of products, I did analysis of how many days had one or more patches released for the product - I called these days "Patch Events." Here is a weekly histogram for the Patch Events the first year after Windows XP was released.
In contrast, Windows Vista administrators only dealt with nine patch events during the first year.
The results of the analysis show that Windows Vista continues to show a trend of fewer vulnerabilities at the one year mark compared to its predecessor product Windows XP (which did not benefit from the SDL). If you are interested in how it did compared with Red Hat, Ubuntu and Apple Mac OS X, you'll need to download the full report.
If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive. If you don't share that opinion, then they still stand on their own ...
Read, Enjoy, Forward.
Best regards ~ Jeff
Full Disclosure: I work for Microsoft - read my thoughts on how that affects my analysis in Exactly how biased am I?.