Windows 7 XP, Vista or Windows 7:Which OS is the most secure?

[kemical]

Below is an article written by Ed Bott: Link Removed

Over the past couple years, I’ve been regularly checking in to measure whether Windows Vista is living up to its promise of being more secure than its predecessor, Windows XP. (To catch up with previous installments, see October 2007,Link Removed and July 2008, “Link Removed.â€Â￾)
My metric is a simple but effective one: count the number of Link Removed rated Critical or Important for different Windows versions over time. In both previous installments, Vista had a significant edge edge over XP, with far fewer updates required. Has Vista maintained its security advantage over the past year? And are there any indications as to how Windows 7 will fare, now that it’s been released to manufacturing?
The answer to both questions is yes.
It’s far too early to make definitive judgments about the relative security of Windows 7, but Microsoft’s shiny new OS had a banner first month. A total of eight Microsoft security bulletins were aimed at various Windows versions. Three of them were rated Critical for both Windows XP and Windows Vista, even with the most recent service packs. Another two security updates were rated Important for Windows XP and Moderate for Windows Vista.
But for all eight of the August 2009 security updates, Windows 7 and Windows Server 2008 R2 were listed under the Non-Affected Software heading. Not a single one of those security holes required patching in the new OS.
That’s the same pattern that Windows Vista established when it was new. And Vista has maintained its safer-than-thou reputation in the past year. I went through every single security bulletin Microsoft published for the past 12 months, from September 2008 through August 2009. The totals?
Windows XP: 22 Critical, 16 Important
Windows Vista: 18 Critical, 11 Important
That’s a 24% reduction in the number of patches rated Critical or Importantâ€â€￾the kind that typically involve remote code execution or escalation of privileges. Or, to put it another way, that’s 3.2 patches per month for XP and 2.4 patches for Vista. (And the next time someone complains about the number of patches they have to install for Windows, be sure to show them that number: 2.4 patches per month, delivered automatically on the first Tuesday of each month, isn’t exactly overwhelming.)
So what’s the difference? Security Bulletin Link Removed is typical:

This security update resolves a privately reported vulnerability ‘t that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. …
This security update is rated Critical for all supported editions of Windows XP….
​

That vulnerability doesn’t exist in Windows Vista or in Windows 7. And both of those newer operating systems have an additional advantage. As the bulletin notes: “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.â€Â￾ That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working

 

[Radenight]

A very well written and informative post kemical.. Well done..

 

[Tepid]

That, of course, is the whole point of the user model that was dissed so thoroughly in Windows Vista. But it seems to be working

Yes, and XP.

"If I can't run as a full admin and have a secure system, then Windows is just plain insecure and damn M$ if they don't fix it. I can't be bothered to learn how to run as a plain user and use Run As command to install or run a particular app. Spyware/malware/viruses?? who cares, M$ are to blame for the whole stinkin insecure nature of my computer.
Iiiiitttt'ssss tthhhiiiieeeerrrr FFFFAaauuuulllttt, rrrrrrr M$ blows."

Gotta love them people. Without them, I wouldn't have a job.

On a side note...... Vista was the most secure OS ever released to market including Linux and Mac out of the box.

 

[kemical]

LOL...True and true.. Link Removed

 

[RAK]

"On a side note...... Vista was the most secure OS ever released to market including Linux and Mac out of the box. "

There was the pity. It was so encumbered with security features, that it became one of the major downfalls of the OS. In 7 they tried to keep the security, without the encumbrance. But, as we know, it is all very much a waste of time. The hackers of the world consider Microsoft a challenge (Who wants to security hack an open source OS!) It makes Microsoft products, axiomatically the most prone. I always tackle the proble by putting on my own secure devices, which do not 100% deter, but make the hacker think about moving on to the next customer.

 

[kemical]

I still cannot believe that there are users out there using no protection at all. I'm not talking about new users neither but ones that just 'can't be bothered'...

 

[kemical]

Apparently the rise of malware/viruses during any given season can be closely attributed to the school holidays.... Brats indeed....

 

[Mike]

I still cannot believe that there are users out there using no protection at all. I'm not talking about new users neither but ones that just 'can't be bothered'...

These are our friends whose computers eventually join botnets that partiicpate in spamming us with viagra e-mails....

 

[kemical]

Yup, the BBC program 'Click' actually did it for real and filmed the bots in action. They bought the bot net from 'some guy' in the Eastern Bloc and once they'd demonstrated how easy it was to do they then sent each of the pcs in the bot net an e-mail saying what had happened, why( I'm not sure how I would felt recieveing that mail) and that now the bot net had been destroyed...

 

[john3347]

"A scan a day keeps the nasties away"

Drew possibly has the secret here. I used McAfee Security Suite for several years, then moved to AVG free with any one or two of several anti-spyware programs and usually using microsoft firewall then recently moved to Microsoft Security Essentials beta. I have been using one of these combinations since either Windows 95 or Windows 98. I have never suffered ANY substantial invasion with 95, 98, 98SE, Millennium, 2000, XP, Vista, or Windows 7. Does that mean that they have all been "secure" OSs................or does it indicate that only modest precautions will prevent terrible things from happening with ANY OS? The latter, I think. It is for this reason that I almost laugh at all the security obsessions expressed by so many. I have downloaded from P2P sites and always scan every file before opening and have to discard a number of them because whatever anti-virus I am using at the time finds a problem. Since I have no more, or no less, problem with one OS over another, the "security" of the OS itself is not a consideration for me.

(As a footnote: I am using IE 6, which has gained a reputation for being "wide open", on one computer that will not upgrade to anything newer. .............Still no significant intrusions.) Give me user friendliness and I will provide my security.

 

[Tepid]

Yes Drew, I agree,, but remember,, we are living in the age of "Lack Of Responsibility".

"What? Secure PC? I'm supposed to do that? I don't think so, that's MS's job, what the hell am I paying for then?"

"What? Get a Job? Why the hell would I do that?"

 

[kemical]

I used to think it was just a question of education but even now, when half the country has broadband I still get amazed at how lax people are. As john3347 points out, it only takes a small level of protection to keep you safe...

 

[Radenight]

I still cannot believe that there are users out there using no protection at all. I'm not talking about new users neither but ones that just 'can't be bothered'...

I agree with you on this matter Kemical... There are a lot of people that do not have any form of protection installed, and they often suffer the consequences..

I tested many Malware/Anti-Spyware/Anti-Virus and Anti-Adware apps with Windows 7 but now have nothing at all installed for protection on one of my pc's just to see how long it will take for Windows 7 to go down.. (Note: The PC I have done this to contains absolutely NO personal files at all, it is for testing purposes only. I do NOT recommend that anyone does this).. Some will argue and say things like "as long as you are careful and only go to trusted sites you'll be fine" (for example), however, that is usually not the case..

For anyone who's interested, so far the PC I did this to is still working exactly as it should.. I'm not saying it doesn't have any Malware/Adware/Spyware/Worm etc on it as a result but if it does, it's nothing big enough to compromise the integrity of the OS as of yet.. It has been 40 days now since I set the PC up this way..

 

[john3347]

Neat test Radenight! I would be interested in knowing the results. I wish you had a whole bank of computers to make your un-protected trial on. Line up a dozen or so computers with OSs all the way back to Windows 95; Go to exactly the same sites with each of them, download exactly the same files, exactly the same amount of time on each site, treat each of them EXACTLY the same way. I would almost bet you a steak dinner that they would all wind up with ALMOST identical invasions after any given amount of time. This would test would also include Windows 7 and Windows Vista.

I have not gone 40 days before, but I have left my Windows 2000 machine unprotected for like 7 to 10 days or so a time or two (for other reasons) without any problems that a simple AVG and Malwarebites scan couldn't fix when they were installed and made their initial scan. I always accumulate several advertising and keylogging cookies between scans.

An additional note to those who endorse the idea of only going to "trusted" sites. There are no trusted sites! Recently, I opened an email from my son who had gone to a site that a friend of his had recommended. This email contained a virus. Now, my son did not even send me the email that contained the virus. The virus itself sent an email to everyone in his address book as an email "from him" containing the same virus. He knew nothing about it until he started receiving email from recipients. There are no trusted sites! (Microsoft Security Essentials beta did make a quick lunch of the virus.)

 

[kemical]

Hey guys,
interesting experimen Radenight... It reminds me of a magazine journo' who'd swear that using anti-virus and defragging was a complete waste of time. He'd regularly tell his readers how stupid they were for using anti virus programs and for defragging their machines. I'm trying to think of the mag...... Got it : PC Format! At the back there was/is a section called 'Ask Luis' (Luis being the journo in question) and apart from his often scathing humourous answers he'd spout the crap i mentioned above.
We should have a name the most stupid article competition or something similar... What do you think?

 

[Radenight]

Neat test Radenight! I would be interested in knowing the results. I wish you had a whole bank of computers to make your un-protected trial on. Line up a dozen or so computers with OSs all the way back to Windows 95; Go to exactly the same sites with each of them, download exactly the same files, exactly the same amount of time on each site, treat each of them EXACTLY the same way. I would almost bet you a steak dinner that they would all wind up with ALMOST identical invasions after any given amount of time. This would test would also include Windows 7 and Windows Vista.

I'll post the results in a new thread once I've completed the test.. I'm going to let it go as long as it takes to get a crippling infection..

That is a good idea John.. Maybe when I finally move into a place with an exta room I'll set that one up.. I agree with you that the results most likely would all be the same.. I'll start thinking of a good place for the steak dinner though, just in case..

 

[Radenight]

Hey guys,
interesting experimen Radenight... It reminds me of a magazine journo' who'd swear that using anti-virus and defragging was a complete waste of time. He'd regularly tell his readers how stupid they were for using anti virus programs and for defragging their machines. I'm trying to think of the mag...... Got it : PC Format! At the back there was/is a section called 'Ask Luis' (Luis being the journo in question) and apart from his often scathing humourous answers he'd spout the crap i mentioned above.
We should have a name the most stupid article competition or something similar... What do you think?

I actually remember that magazine! And I believe it.. Even now there are quite a few people that still say not to bother with AV apps.. I do NOT condone this advice though..

That sounds like a very good idea for a competition.. Something we could do in the Water Cooler maybe.. I know Whoosh would be a hard person to beat in that contest.. He's definitely good at finding random articles.. We would need to make sure there are enough people that would want to participate though to actually make it a contest..

I think if we're going to do something like that, there should definitely be a prize of some sort too.. For all the obvious reasons but also to give incentive..

Anyone else interested in doing this?

 

[john3347]

I actually remember that magazine! And I believe it.. Even now there are quite a few people that still say not to bother with AV apps..

That sounds like a very good idea for a competition.. Something we could do in the Water Cooler maybe.. I know Whoosh would be a hard person to beat in that contest.. He's definitely good at finding random articles.. We would need to make sure there are enough people that would want to participate though to actually make it a contest..

I think if we're going to do something like that, there should definitely be a prize of some sort too.. For all the obvious reasons but also to give incentive..

Anyone else interested in doing this?

Would the "quickest turnaround" in computer history be eligible? Like on one day, a Microsoft Lawyer states that the XML ruling was really no big deal (probably true); then the next day Microsoft goes to court hoping to stay the ruling claiming "irreparable harm" and even enlisting a couple of un-named computer manufacturers to testify that even they would be "irreparably harmed" if this ruling stands? (What a crock of schmuck!)

Irreparable harm to change a few lines of code?............Gimme a break!

 

[kemical]

Well I'm definately up for it but perhaps we ought to just create a bad journo thread and see if it develops? Whatever is decided though I'm game..