More on Operating System Security

Is Windows insecure by design?

In the Security and Intelligence Report, version 6, Microsoft looks at security vulnerability disclosures.  Vulnerabilities are weaknesses in software that allow an attacker to compromise the integrity, availability, or confidentiality of that software. Some of the worst
vulnerabilities allow attackers to run arbitrary code on the compromised system.

A disclosure, as the term is used in this report, is the revelation of the existence of a vulnerability to the public at large. It does not refer to any sort of private disclosure or disclosure to a limited number of people.

This is hard to see the trend, so viewing the image with the non-Microsoft removed:

Overall, Microsoft’s total vulnerabilities compared to the market as a whole are fairly small, average about 5% of the industry total the past few years. 

Furthermore, newer versions of Windows are much less prone to exploit than older versions.  This makes sense as Windows XP was released long before the MSRT (Malicious Software Removal Tool) and Windows/Microsoft Update were released.

Microsoft vulnerabilities compose 6 of the top 10.  However, comparing this to Windows Vista:

Microsoft vulnerabilities compose none of the top 10.  The work Microsoft has done around the area of security has clearly started to pay off.  Finally, what are the types of Microsoft vulnerabilities?  The SIR doesn’t break them down, however, it does have the industry wide breakdown:

The operating system has its share of vulnerabilities but it certainly isn’t the lion’s share of problems.

So, is Windows insecure by design?  It may have been true at one point (though certainly the term “by design” is ridiculous), but Microsoft has made very large strides in recent years to fix these problems.  The writer who made the original comments is working on a perception that is outdated and needs to keep up on industry trends.  Certainly, Windows isn’t perfect but it is much better than it was.