Windows Vista Security One Year Later

Hi, Austin Wilson here. Now that Windows Vista has been available to business customers for more than a year, it’s a good time to go back and look at how it’s holding up from a security perspective. I think that it’s fair to say that Windows Vista is proving to be the most secure version of the Windows to date. Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off. Let’s take a look at some areas that we’ve made progress in: the impact of defense-in-depth; Internet Explorer 7’s protection of personal information; vulnerabilities and infections; and cost savings.

First, let’s look at the impact of defense-in-depth features like User Account Control and Internet Explorer Protected Mode. These features have helped reduce both the risk and severity of security bulletins, giving enterprises more time to deploy patches:

Running as standard user, which is the recommended configuration and made easier in Windows Vista thanks to User Account Control, helps reduce the impact of any particular vulnerability. Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges: MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069. This is a great illustration of the importance of User Account Control and why we included it in the product. It’s also the reason I personally run as a standard user on every machine I use.

Because of IE Protected Mode, theMS07-056bulletin from October ’07 was ratedimportant on Windows Vista and critical on Windows XP. The bulletin rating helps organizations determine the urgency with which they need to deploy the update. Fewer critical updates help organizations maintain regular processes around patch management.

Internet Explorer 7, which is the default browser in Windows Vista, also helps protect the personal information of end users. We’re seeing almost 1 million phishing attempts blocked per week, representing a large number of potential cases of identity theft or credit card fraud that were stopped. In addition, there are over 3500 sites with Extended Validation SSL Certificates (EV SSL) representing an improved level of authentication for securing transactions on these sites. Internet Explorer 7 is the first browser to fully support EV SSL. It turns the address bar green for EV SSL sites and notifies users about the available identity information so they can make better trust decisions when entering sensitive personal information while online.

Next, let’s look at patch events, vulnerabilities and infections. We’re showing steady positive progress in this area. When looking at Windows Vista compared to Windows XP, we’ve seen:

• An important metric for IT professionals is the concept of patch events, which is discussed in the One Year Vulnerability Report released today by Microsoft’s Jeff Jones. During Windows XP’s first year, updates were released on 26 separate days. Through a combination of the move to a predictable monthly release schedule, and decreased vulnerabilities, Windows Vista had updates released on just nine days in its first year. To the average security professional, this is one of the most relevant metrics: how many times did I have to activate my internal patch management process due to vendor update releases over the course of a year? Nine times is much more attractive, and cost effective, than 26 times. Jeff Jones’ one year report goes into this in area in more detail, and the graph below from his report shows the patch events during the first year of Windows Vista and Windows XP:

Patch Events


Fewer vulnerabilities:Also from the One Year Vulnerability Report, we see that Windows Vista in its first year had significantly fewer fixed and unfixed vulnerabilities than Windows XP in its first year: 36 fixed/30 unfixed for Windows Vista vs. 68 fixed/54 unfixed for Windows XP. The chart below gives you an idea of the progress we’ve made:

First Year

Fewer months with updates: Building on the concept of patch events, since Windows Vista was released, there were three months in which Windows XP had updates and Windows Vista did not (December ’06, January ’07, and November ’07). This means that an organization running all Windows Vista clients would have had three months in which they wouldn’t have had to deploy an OS update to their clients at all.

Fewer infections: From January – June 2007, there were 60% fewer malware infections and 2.8 times less potentially unwanted software on Windows Vista than on Windows XP SP2, according to the Microsoft Security Intelligence Reportfrom 10/07. This illustrates how the defense in depth features built in to Windows Vista help prevent machines from getting infected by malicious and potentially unwanted software.

Finally, what does Windows Vista do to help organizations reduce costs? A recent Microsoft commissioned report from GCR on cost savings for mobile PCs shows $251/machine per year in cost savings for Windows Vista, of which $55/machine per year was attributed to security and data protection features such as User Account Control and BitLocker Drive Encryption.

We’ve said it before, but it bears repeating: our job with security is never finished. But, the focus we put on engineering for security, the backing of the world-class security response process delivered by the Microsoft Security Response Center, and the defense in depth approach of Windows Vista are showing real-world benefits for customers and that’ something I take pride in.

- Austin