• United States



Windows Vista One Year Vulnerability Report

Jan 23, 20082 mins
Business ContinuityCareersData and Information Security

Having published a Windows Vista vulnerability report after 90-days and six-months, I am sure it will come as no surprise to folks that I have been working on a one year analysis as well.

One year is a much more interesting time frame, and gives us the opportunity to see if the early trend indicators are holding up, or if the early signs of progress were a short-term gain.  Structurally, this report analyzes Windows Vista vulnerabilities and updates in the context of:

  • Windows XP, its predecessor product
  • Latest desktop products available for a full year from Red Hat, Ubuntu and Apple

I want to give you a peek into the report, so I’ll show a few key charts highlighting WIndows Vista relative to its predecessor.  To see the results relative to the other industry OS offerings, you’ll need to download the full report.

First, here is the chart showing the full set of vulnerabilities (total disclosures and total fixed) for WIndows XP and Windows Vista during the first year of availability after they shipped.

As a new view on the first year of products, I did analysis of how many days had one or more patches released for the product – I called these days “Patch Events.”  Here is a weekly histogram for the Patch Events the first year after Windows XP was released.

Windows XP Year One Patch Events Weekly Histogram

In contrast, Windows Vista administrators only dealt with nine patch events during the first year.

The results of the analysis show that Windows Vista continues to show a trend of fewer vulnerabilities at the one year mark compared to its predecessor product Windows XP (which did not benefit from the SDL).  If you are interested in how it did compared with Red Hat, Ubuntu and Apple Mac OS X, you’ll need to download the full report.

If you share the opinion that Windows and applications ported to Windows get a higher level of researcher scrutiny than other OSes, then the 6-month results are even more positive.  If you don’t share that opinion, then they still stand on their own …

Read, Enjoy, Forward.

Best regards ~ Jeff

Full Disclosure:  I work for Microsoft – read my thoughts on how that affects my analysis in Exactly how biased am I?.

Jeff Jones is a 24-year security industry professional that has spent the last several years at Microsoft helping drive security and privacy progress as part of the Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line. These latest positions cap a career focused on security, managing risk, building custom firewalls and being involved in Darpa security research projects while part of Trusted Information Systems. Jeff is a frequent global speaker and writer on security topics ranging from the very technical to more high level, CxO-focused topics such as Security TCO and metrics. Jeff is also a contributor the Microsoft Security Blog ( and writes on a wide range of personal interests (e.g. books, poker, gaming) at