At the Microsoft Worldwide Partner Conference 2008, Kevin Turner, chief operating officer at Microsoft, gave a keynote that covered a range of topics from the partner ecosystem that the company is so grateful for (and will be investing another $600 million year over year) to what the plan is for the next fiscal year (a bigger push on Software as a Service). Turner talked about almost every major area that Microsoft has invested in, and then uttered something that was PR speak gone too far. He began to talk about Vista's security, and he said something that I simply don't agree with (emphasis mine):
We've talked a lot about compatibility, we don't need to talk as much about compatibility anymore, we need to talk about the fact that, look, what Vista is, its the most secure product in the history of operating systems on a desktop. It is more secure today than Apple Leopard, or XP, or Linux, or open source. We built this product to engineer in security on the front end, not as a service pack. As a result of that, we tightened down things like user account controls. Yes, it required a lot of compatibility upgrades and fixes, but you know what, it's important that you understand the progress, and you're able to articulate that, and fewer patching is what all customers want, and there's a cost savings there. Windows Vista with Service Pack 1 delivers that.
Now, Turner has some data to back this claim up, but he's only looking at it from one perspective. Yes, Vista does have fewer vulnerabilities than XP, and it does not surprise me that Mac OS X and Linux have more than either. However, security should not simply be measured in the number of vulnerabilities found in a given piece of software. There are more people looking over Linux code day in and day out when compared to Microsoft, and there is often fame and money to be won for finding vulnerabilities in Mac OS X.
Exploited vulnerabilities are something that needs a little bit more emphasis, and so do infection numbers. Vista's infection numbers are lower than XP's, but this is due to two main factors: it's a more secure OS and it also has a smaller market share, making it a smaller target. Vista's infection rates are obviously higher than those of Mac OS X or Linux, and that's what security is about.
Microsoft may not have control over the fact that its operating systems are the most targeted, so it can't exactly change anything there, but if you are going to tout that you've improved security in your product, compare it to the predecessor, or explicitly state that you're talking about vulnerability numbers. Hopefully this will be taken into consideration in the upcoming Vista ads.
Further reading:Microsoft: Press Release