A lot of people believe that Microsoft Windows security sucks and that Microsoft is by far the worst of all software vendors! Many of them back this up with anecdotal evidence from the late 1990s. Most of them have simply refused to believe that the company could actually have changed.

The truth is that the state of almost all software security is very poor. In comparison with most software development organizations, Microsoft is actually doing a pretty good job. In the first 90 days after its release, there were five announced vulnerabilities in Windows Vista, whereof one had been fixed. (These figures are from Jeff Jones, a director at Microsoft, who, in spite of his employment, tends to be quite objective. Read his entire report at http://blogs.csoonline.com/windows_vista_90_day_vulnerability_report.)

Five vulnerabilities in 90 days may not sound so good, but compare that to Windows XP. Windows XP had 18 announced vulnerabilities and 14 fixes in the first 90 days. Clearly, Windows Vista is an improvement. How about other vendors though? Well, there were 11 patches for 36 vulnerabilities in Red Hat Enterprise Linux 5 on the day it shipped. As of the time of this writing, it had not been out for 90 days yet so it is hard to say whether that trend is better than Red Hat Enterprise Linux 4, which had 181 fixes and an additional 85 unpatched vulnerabilities in the first 90 days. Apple fared far better, as it is quick to point out. In the first 90 days of Mac OS X 10.4 there ...