Windows Vista Security One Year Later

Hi, Austin Wilson here.  Now that Windows Vista has been available to business customers for more than a year, it’s a good time to go back and look at how it’s holding up from a security perspective.  I think that it’s fair to say that Windows Vista is proving to be the most secure version of the Windows to date. Our investments in the SDL and our defense in depth approach to building Windows Vista seem to be paying off.  Let’s take a look at some areas that we’ve made progress in: the impact of defense-in-depth; Internet Explorer 7’s protection of personal information; vulnerabilities and infections; and cost savings.

First, let’s look at the impact of defense-in-depth features like User Account Control and Internet Explorer Protected Mode.  These features have helped reduce both the risk and severity of security bulletins, giving enterprises more time to deploy patches:

       Running as standard user, which is the recommended configuration and made easier in Windows Vista thanks to User Account Control, helps reduce the impact of any particular vulnerability.  Of the 23 security bulletins that have been released for Windows Vista through January 2008, 12 specifically call out a lower impact for those running without administrative privileges:  MS07-033, 034, 040, 042, 045, 047, 048, 050, 057, 064, 068, and 069.  This is a great illustration of the importance of User Account Control and why we included it in the product.  It’s also the reason I personally run as a standard user on every machine I use.

       Because of IE Protected Mode, the MS07-056 bulletin from October ’07 was rated important on Windows Vista and critical on Windows XP.  The bulletin rating helps organizations determine the urgency with which they need to deploy the update.  Fewer critical updates help organizations maintain regular processes around patch management.

Internet Explorer 7, which is the default browser in Windows Vista, also helps protect the personal information of end users.  We’re seeing almost 1 million phishing attempts blocked per week, representing a large number of potential cases of identity theft or credit card fraud that were stopped.  In addition, there are over 3500 sites with Extended Validation SSL Certificates (EV SSL) representing an improved level of authentication for securing transactions on these sites.   Internet Explorer 7 is the first browser to fully support EV SSL.  It turns the address bar green for EV SSL sites and notifies users about the available identity information so they can make better trust decisions when entering sensitive personal information while online. 

Next, let’s look at patch events, vulnerabilities and infections.  We’re showing steady positive progress in this area.   When looking at Windows Vista compared to Windows XP, we’ve seen:

       An important metric for IT professionals is the concept of patch events, which is discussed in the One Year Vulnerability Report released today by Microsoft’s Jeff Jones. During Windows XP’s first year, updates were released on 26 separate days.  Through a combination of the move to a predictable monthly release schedule, and decreased vulnerabilities, Windows Vista had updates released on just nine days in its first year.  To the average security professional, this is one of the most relevant metrics:  how many times did I have to activate my internal patch management process due to vendor update releases over the course of a year?  Nine times is much more attractive, and cost effective, than 26 times.  Jeff Jones’ one year report goes into this in area in more detail, and the graph below from his report shows the patch events during the first year of Windows Vista and Windows XP:

Patch Events


       Fewer vulnerabilities:   Also from the  One Year Vulnerability Report, we see that Windows Vista in its first year had significantly fewer fixed and unfixed vulnerabilities than Windows XP in its first year: 36 fixed/30 unfixed for Windows Vista vs. 68 fixed/54 unfixed for Windows XP.   The chart below gives you an idea of the progress we’ve made:

First Year 

       Fewer months with updates:  Building on the concept of patch events, since Windows Vista was released, there were three months in which Windows XP had updates and Windows Vista did not  (December ’06, January ’07, and November ’07).  This means that an organization running all Windows Vista clients would have had three months in which they wouldn’t have had to deploy an OS update to their clients at all.

Fewer infections:  From January – June 2007, there were 60% fewer malware infections and 2.8 times less potentially unwanted software on Windows Vista than on Windows XP SP2, according to the Microsoft Security Intelligence Report from 10/07. This illustrates how the defense in depth features built in to Windows Vista help prevent machines from getting infected by malicious and potentially unwanted software.

Finally, what does Windows Vista do to help organizations reduce costs?  A recent Microsoft commissioned report from GCR on cost savings for mobile PCs shows $251/machine per year in cost savings for Windows Vista, of which $55/machine per year was attributed to security and data protection features such as User Account Control and BitLocker Drive Encryption.

We’ve said it before, but it bears repeating: our job with security is never finished.  But, the focus we put on engineering for security, the backing of the world-class security response process delivered by the Microsoft Security Response Center, and the defense in depth approach of Windows Vista are showing  real-world benefits for customers and that’ something I take pride in. 


Comments (44)

  1. says:

    A vaguely interesting study which basically shows that MS is taking security more seriously and their product released in 2007 is better than the product they released 5 years ago was back then. No surprises there.

    What I guess is suggested but not actually proven is that Vista is more secure to deploy right now and I doubt there’s much difference. What I would like to see would be a similar comparison between XP SP2 and Vista in the last 12 months. As an IT Manager, on new machines I have the choice to deploy:

    a) Fully patched Windows XP SP2

    b) Fully patched Windows Vista

    Only an idiot would deploy a non-patched or partially patched version of either. So of more relevance to me is how the two products performed over the last 12 months.

    Without trawling through the security bulletins, my gut feel suggests there is only a VERY small number of items that affected XP SP2 but not Vista.



  2. Brandon says:

    Windows is there with stability and security, now it needs to improve upon PERFORMANCE.

    Good job getting the other two down, but I want to see some insane leadership in performance.

  3. Microsoft's Jeff Jones released the 1 year vulnerability report for Windows Vista. This paper analyzes

  4. Anonymous says:

    It would make sense to compare Vista only to XPSP2.

  5. Hok says:

    No accually it’s best to compare Vista RTM to it predecessor based, Windows Server 2003 SP1.

  6. db says:

    This all means very little to the guy who got stuck with on a new purchase.

  7. Pieter says:

    Sounds pretty much like: we from brand X advise you to use… brand X! 🙂

    Let’s face it: if Vista had proven to be as easily corruptable as ME, or had contained as many leaks as XP, the designers would not have done a very good job. If they have doen a good job is up for debate, but from a security point of view, appearantly they have. So should they be commended for doing their job? Hmmm. My boss doesn’t run into my office every day to tell me what a good job I’m doing, and frankly, I’d shoot him after the third time he’d walk in blowing my horn… 🙂

    So why this "claim to fame" for Vista? Guess it’s only because the sales of Vista aren’t what they were expected to be, and could use a boost…

  8. The new OS has benefited significantly from its expanded security features and the stronger code base developed via Microsoft’s SDL program, the company claims.

  9. B. Aafjes says:

    Interesting to see that you need to explain why Vista is so good, but that it doesn’t speak for itself. Vista should really be able t sell itself, but i hear hardly any positive remarks, except from people who work at Microsoft.

    GM’s Bob Lutz once saidsomething like this: If the development team constantly needs to tell customers what an outstanding job they did, they fail to deliver the most important thing: the feeling that you really want this product on sight.

    What most people want is an OS that needs no attention from the user, but manages to amaze you in unexpected things, like being user friendly, fast and stability. It should be faster than its predecessor, further optimized.

    You people accomplished almost none of the above, so i had no choice but switching to something else.

  10. M Stephen says:

    It’s great that they are finally taking security seriously.  But who cares if the product doesn’t function well or is difficult to use or isn’t compatible with much of the common software users want?  I mean, what good is security on a bloated product that doesn’t allow users to do the simple things they need and want to do?

    Missed the point again Microsoft.  Many of us in the technology profession are rolling back to XP Service Pack 3 when it comes out.  Be greatful we don’t ditch Microsoft all together for the better options out there (MAC OS, Unbuntu, etc.)

  11. On January 23, Jeff Jones, Director of Security at Microsoft, published his "One Year Vulnerability

  12. Me says:

    I’m a developer for > 12 years now and programmed loads of apps starting with windows 2000 up to Vista

    Knowing the changes they did in vista’s architecture to make it more secure i understand and believe its indeed more secure then XP.

    But still vista suck. Why ?

    Performance is much to low in most areas (networking, gaming, file access etc) when you compare it with XP

    Vista uses TOO much memory, more then XP

    I have 2Gb RAM here and still memory consumption gets up to 80% while just running 2-3 enduser apps

    All the rest goes to drivers, services and who knows what…

    Last thing is that 3th parties simply release very bad drivers for Vista (NVidia you listening??) or simply dont release any vista drivers at all for products which are less then 2yrs old. Example my HP printer which is now 2yrs old, HP simply refuses to provide a vista driver for it and tells me to buy a new printer??

  13. The person who knows nothing says:


    One: this means what when i build a computer for it ill need at least 4GB ram to even run some what fast? and what is up with the 10+ times more HD needed then XP?

    Two: HACKERS, they are now getting involved with Vista. They wont touch nothing less then 15% of the over all market (my guess) so MS get ready. Hopefully a very big disappointment and every one goes back to XP as i SHALE NOT BUY A COPY OF VISTA EVER. Not even when SP1 comes out -.-

    Three: I would buy a MAC before i ever buy vista and MACs have like the most critical errors then windows does a month…..

    Get the point?

  14. The person who knows nothing says:

    i have re-read the article….


    "Fewer vulnerabilities:   Also from the  One Year Vulnerability Report, we see that Windows Vista in its first year had significantly fewer fixed and unfixed vulnerabilities than Windows XP in its first year: 36 fixed/30 unfixed for Windows Vista vs. 68 fixed/54 unfixed for Windows XP.   The chart below gives you an idea of the progress we’ve made:"

    Ummmm, your going based on 5 yrs of difference what the hell is wrong with you?

    "reduce costs"

    Yea, ok. First you might save em money but ill never buy vista for a company because the savings is not worth the hassle nor the extra cost for 4GB while XP runs on Not even 1GB!

    My personal computer runs on 1GB (custom built) and it runs so smoothly while i have like 2 programs taking 256+ RAM ea it is not able to be compared to vista which needs 4+GB to even attempted that.

    Second by vista needing so much RAM they would really be wasting there money on SLOW OS AND SLOW COMPUTERS. In order to keep vista fairly fast they would need to make it look like Windows 98 and i would still buy XP as i still find Vista still too slow.

  15. Winxoxoxp Viva la Vista says:

    The reason people recorded less issues with Vista is:

    1. Half the users are pirating it:

    Since it’s too expensive to buy people are illegally downloading it and with that as a user base makes reporting issues to Microsoft risky. Logs are generated with hardware and IP addresses which can identity users

    2. Users could care less about reporting issues to Microsoft, when you can look online and find a work around and fix it now. Humans go for the path of least resistance Microsoft tech line is like a chalk board to the ear

    The Covered wagon worked just fine, but you love your car don’t you?

    Covered wagon = vista bloated, slow and high maintenance

    3. Microsoft is coming increasingly demanding, with IE7 being forced on Feb. 12, win XP phase out Jan 2009 it seems they are flexing there monopoly on an economically broken nation called america.    

    But at least in other economically poor nations get Windows XP Starter Edition for around 36$ that wont be phased out until they think they have enough market to capitalize off of

    "Get them hooked and start charging mentality"

    And schools get Microsoft Office that cost $2.50.

    no one said big corporations cant market off of children. if only microsoft cut deals like this to americans, maybe our litericy reate will compare to the rest of the world.

  16. William says:

    That Windows Vista van Microsof is safe is not true. Linux is much safer and its free.

  17. Lloyd says:

    Anyone who moans and groans about Vista and claims they can get the benefits of an MS based OS for free is a "fools fool".

    Take a look at what Microsoft offers as a whole for the developer that no other single company comes remotely close to. The ability to develop and deploy powerful applications for the vast majority of customers worldwide using development tools that can be downloaded for free and to develop extremely powerful web based applications leveraging free MS technologies like, .Net 2.0, .Net 3.0 WCF/WPF/WWF and now .Net 3.5.

    I dont believe MS should be congratulated as they are only delivering what has been paid for by their customers in the first instance.

  18. Marcel says:

    Sorry but this is a totally invalid comparison. Who is going to be running WinXP patched up to where it was 6 years ago? It is a tried and true formula now. It has had 6 or 7 years of security auditing. You have to compare the LAST 12 months of Vista vs WinXP for a valid comparison. Definitely not the FIRST 12 months.

    How ridiculous and irrelevant is the first 12 months. Seriously, it reeks of marketing.

  19. A flurry of emails this afternoon confirms that Windows Vista Service Pack 1 has been released (or at

  20. Raziel says:

    Sorry to say this, but this is a load of BS…

    M$ charts for how secure their products are only ever relate to the public problems found, not to the actual amount of problems around.

    The advance in security isn’t really an advance… Linux and Macs have these kind of security implements since the beginning of their kind… M$ is just trying to make it look good while failing greatly to do so…

    I guess this video show quite nicely what I’m talking about:

  21. lava says:

    I faced many issues in windows xp regarding security, specially when i surf unknown websites. now in vista with IE security i can stop those websites installing some unknown programs, although it was annoying a little bit to click on those allow and information bars. i have 2 GB ram and i was able to open almost 15 common applications at a time. it may take time to load for the first time, but once its opened it works fine no issues.

    To those guys who have problems with vista or microsoft… better try linux or mac for a year and then see the difference…

    i feel…. you guys are comparing frogs in lakes to frogs in ocean… obviously frogs in lake will face less threats compared to ocean

  22. Armin says:

    Hallo Bill Gates,

    Nachdem man mir gerade angedroht hat meinen Hotmail-Akont zu sperren, weil ich mich wiederholt über "Untätigkeit" bei Microsoft beschwert habe gegen Mißstände wie Porno`s in Spaces und Unterdrückung des Artikel 4 GG d.BRD in Foren , wird wohl mein Spaces auf der Strecke bleiben. Derweil ist es mir schon nicht möglich Messenger zu nutzen.

    Nach meiner Auffassung sabotiert das "MS Team" vorsätzlich.

    Die Nutzungsbedingungen von Windows Live sind reine Makulatur.

    Wer Mißstände klar ausspricht wird beseitigt.

    Für mich steht fest, Microsoft ist ein Unternehmen, was aktiv "rechtstaatliche und demokratische Werte" aktiv untermeniert.

    Ein klärendes faires Gespräch mit der MSN Führung war nicht möglich.



  23. Kai Robinson says:

    One thing you still haven’t done…is allow the end user to DISABLE driver signing in x64 Vista if they so choose – you can’t even change the group policy to disable signing by default.

    I want the ability to decide for myself what applications i run on my machine – and if that includes wanting to run applications that require driver signing to be disabled – who are MS to tell me ‘no, you cant’.

    If i pay £400 for a bloated, slow OS (compared to XP64), then surely i should be allowed to do what i damn well please?

  24. I have no trubbles with the system Windows Vista.            

    Don van Outheusden

  25. Penny says:

    I know lots of people are having problems with Vista but I’m not one of them.  Most of my current software products work just fine with Vista – I only had to scrap a couple of them that I really didn’t need anyway.  I’ve had no security issues – but then I do also have Windows Live One Care installed.  I had a lot more hits to my security with XP – I was using Norton then,too and still getting hits.  

    The only two annoying issues I’ve had were just this weekend – one with a driver update that deleted my sound until I went to the HP site and reinstalled it, and the other when I upgraded from Home Premium to Ultimate – had to repair the One Care firewall so it would work again.

    Seriously, that’s it.  And if MS could give me a way to just bounce junk mail back at the sender so I wouldn’t even have to see it, I’d be a really satisfied customer.

  26. Gillian says:

    Hello, I am completely baffled with my laptop, somebody PLEASE HELP ME

    i have been trying unsucessfully to install internet explorer 7 for months and months (through genuine microsoft updates) and apparently i need to disable my anti-virus programme, which is antivira personal edition classic. I did disable it, the update still failed, i then unstalled the entire programme and tried again, update still failed. I checked windows security center and it reports antivira as still installed and running, yet in control panel, it is no longer coming up as being installed on my computer (as i removed it). so the update is failing because of a programme i dont actually have.

    SOMEBODY PLEASE HELP BECAUSE IM COMPLETELY LOST! the automatic updates keep trying to install it, failing, and then i am being prompted to restart my computer so the changes can take effect when there never are any changes ahhhhhhhhhhhhhhhhhhhhhh

    any help would be greatly appreciated, im about to throw my laptop out the window


  27. James Gentile says:

    Good Job to Microsoft on security in Vista, I use Vista daily and find it trouble free, it’s fast, programs/games work, it’s stable and I have never had a security issue in 8 months of use.  For some reason, people tend to posts when they have problems not when everything works, I guess they are too busy working/playing games.  And to the people who complained about memory usage, it’s called ‘caching’ aka superfetch, it’s supposed to use your memory, so things load faster.   Also, 4GBs of ram cost about as much as 512MB of Ram did when XP was released, so don’t know what you are complaining about.

  28. DiamondGeo says:


    You need to COMPLETELY clean the installation of "antivira personal edition classic" and forget about re-installing it. There is no free lunch with antivirus software. Do a bit more reserach and PURCHASE a good antivirus package (or do as I do and forget anti-virus software (they cause more problems than they solve).

    To Completely remove it use one of the oline Clean Uninstalleras such as "Cleanse uninstaller", there are many that work well. Or you can attempt to do the job by hand deleting all files and folders related to "antivira" (search throughly) and then use regedit to remove all references to it in the registry.

    Don’t re-install it ever… it will continue to cause problems for software (not automatic installations).

    Once you have that junk cleaned up your problem should be solved.

  29. Gillian says:

    Thanks very much for your reply DiamondGeo, but the ‘Cleanse Uninstaller’ isnt reporting any bits of antivira left on my laptop. Sorry but ive no idea how to do it manually, and i dont know what regedit means. I dont know much about computers, hence me downloading antivira in the first place i guess!

    Any other ideas?

    Thanks again for your help


  30. I enjoyed the above reading. Ive been trying 2 find out about the SP1 for Vista. I hear it’s been recalled do 2 alot of people having issues with it once they install SP1. It seems their PC’s keep re-booting. Can you tell me if my info. is correct about SP1, has it been recalled and/or R people having problems since they downloaded SP1. Also where can I go 2 to see the differance in Vista Ultimate and Rremium. I am running Vista Premium but was thing of up-grading to Ultimate, but I want 2 see the benifits in Ultimate first. Well thank U again the info. above. It was very interesting. Gene

  31. I have no great love for Vista.  I personally have found it problematic for even an IT person to keep trouble free.  I haven’t found it more reliable, if you define reliable as continuing to run your apps the way they always used to.  It drives me absolutely nuts how every common administrative task gets moved around, renamed and hidden behind extra mouse clicks with each new version of Windows.  And I can’t believe that Microsoft hasn’t made a clear statement or KB article on the Vista "Server Execution Failed" message that has been hitting Vista users for over a year.  That kind of mishap alienates users and has been causing many Vista users to weaken Vista security by putting the "Local Service" account into the local Administrators group.  A fix should be found and announced ASAP.

    Having said that, it is TOTALLY on the mark for Jeff Jones’ patch metrics to compare vulns in the first 12 months.  First, how else can you possibly compare one’s progress over the past 6 years, without looking at the performance 6 years ago?  Second, it’s an accepted fact that a different number of vulns are found in the initial release of a software, compared to the last service pack.  Jeff Jones’ study isn’t intended to get you to buy Vista by proving it’s more secure than XP SP2.  That study just tracks software vulns, which is different from overall security.  The other posters here should note that only the two paragraphs about Jeff Jones’ patch metrics used XP SP0 to compare.  The other parts of the article compared Vista SP0 with XP SP2 and suggested that Vista had fewer and less critical patches in 2007 compared with XP SP2.

    I think one fair complaint, however, is that when comparing patch metrics, it might not be fair to compare using the default XP SP0 configuration.  It might be more fair to secure the default XP SP0 settings as best you can per the Microsoft XP Security Guide before comparing.  I say this because Microsoft chooses whether a particular security update is rated critical or merely important based on the default configuration rather than just the severity of the vulnerability itself.  In other words, Vista might have a serious remote code execution buffer overflow in a particular service, but Microsoft rates it as Important if the service is disabled by default.  That is the right thing to do in MS security bulletins, but it skews XP Gold vulns to be rated Critical more often than identical Vista Gold vulns, simply because of the default config.

  32. dfb says:

    老人ホーム、<a href="">不動産担保ローン</a>シニア住宅などの日本最大級の情報を誇る検索サイト。<a href="">老人ホーム</a>検索サイト「オアシスナビ」はあなたに最適な老人ホームやシニア住宅探しをお手伝いいたします。

  33. JohnnyW says:

    The biggest problem Vista faces is the same one that the Zune faces: It doesn’t matter how good it is, people will still be against it because it’s Microsoft.

    Microsoft have done a brilliant job in the past 18 years in destroying consumer confidence and creating an image of themselves of an evil corporate empire. It doesn’t help that if you followed the Anti-Trust case that Microsoft essentially DID act like an evil corporate empire during that trial, either.

    Reading many people’s comments here, it’s clear they skim read the article and came to the same old conclusion: Vista = MS = BAD!

    Regardless, I hope it’s not too demoralising for the hard-working technicians at MS. Vista is definitely an improvement over XP in terms of stability and reliability. I hope that SP1 improves some of the performance issues, too.

  34. chaos says:

    Im glad there will be another update for Vista. I feel that it is slowing the ability of computer by alot. I have a great system that just doesnt seem to be up to par with the parts it has inside and I am often told that it is Vista that is doing it. I dont like a slow computer exspecially when i have to pay over $1,000 for it. i expect it to work to its fullest,not to be slowed by the program that runs the computer. I cant wait for this update I just hope it does better because if it does not i will not have anything more to do with Vista i will switch back to xp…

  35. Pierce says:

    Wow, nice post. I didn’t realize how much better Vista has gotten, but I still don’t like it!

  36. Imagination.VG says:

    Running as administrator gives trojans and virus same acces as you…in essence, they have control over every setting

  37. Imagination.VG says:

    Running as administrator gives trojans and virus same acces as you…in essence, they have control over every setting

  38. none says:

    Please address the BlackHat report asap

  39. I have no great love for Vista.  I personally have found it problematic for even an IT person to keep trouble free.  I haven’t found it more reliable, if you define reliable as continuing to run your apps the way they always used to.  It drives me absolutely nuts how every common administrative task gets moved around, renamed and hidden behind extra mouse clicks with each new version of

  40. <a href=’‘>electrical entertainment licence testing</a> <a href="">electrical entertainment licence testing</a> [link=]electrical entertainment licence testing[/link]