Jeff Jones, a Strategy Director in the Microsoft Security Technology Unit, has just released a Vista one year vulnerability report. According to the report Vista is said to have less security vulnerabilities that needed to be fixed in the first year. Microsoft released 17 security bulletins and patches affecting Vista versus 30 for XP in the first year, fixing 36 vulnerabilities in Vista versus 65 in XP, there are 30 vulnerabilities in Vista that have not been patched compared to 54 for XP.
Jones cautions though,

Is there anything in this analysis which will prove one piece of software is ‘more secure’ than another? No, that is not my intention…This report is a vulnerability analysis, which may provide some elements that could be part of a broader security analysis.

Fewer vulnerabilities,

make it easier to manage risk…All other things being equal, fewer patches mean more time to spend on other security projects to reduce risk.

Also in the report Jones notes that there were 360 vulnerabilities fixed in Red Hat rhe14ws(reduced), 224 in Ubuntu 6.06 LTS’ (reduced) and 116 in Mac OS X 10.4.

According to Dark Reading interviewing Rich Mogull, founder of Securosis LLC

It proves that it [Vista] is quantitatively more secure, but not that it’s quantitatively less risky — what I call security versus safety. IT managers need to know the overall risk assessment, which includes that data as well as other information sources.

I’m even more skeptical then that though, just because Vista is more secure out of the box, doesn’t mean that it’s more secure over time, maybe after time it will be but for now, I’m still going to continue to push for the saving of Windows XP.

Popularity: 54% [?]