CNET, Experts and Windows Vista Security

UPDATE:  Corrected my math problem, based upon astute reader feedback (he says sheepishly) 

Reading online news this morning, I came across the CNET headline: Experts: Don’t buy Vista for the security.  Wondering what the experts were saying, I clicked and read the article and once again I got a good laugh about the relationship between the “headline” and the “story.”

Having read all the quotes, it didn’t add up to “don’t buy Vista for security” to me.  So, for fun, let’s review the paragraphs and quotes and assign a score for each one.

First, Jim Allchin:

“Safety and security is the overriding feature that most people will want to have Windows Vista for,” Jim Allchin, Microsoft’s outgoing Windows chief, told CNET News.com a year ago. “Even if they are not into home entertainment or in any of the specialty areas, they are just going to feel safer and more secure by using it.”

Since Jim is the MSFT dude behind Windows Vista, we’re going to exempt him from the scoring.  Next, we have David Milman, chief executive of Rescuecom, who says:

“As long as XP users keep their updates current, there’s generally no compelling reason to buy into the hype and purchase Vista right away,” said David Milman, chief executive of Rescuecom, a computer repair and support company. “We suggest people wait until buying a new machine to get Vista, for economic and practical reasons.”

As in the past, Microsoft faces itself as its toughest competitor. SP2 for Windows XP, which was released in August 2004, marked a significant and much-needed boost in PC security. Since then, Microsoft has released Internet Explorer 7 and the Windows Defender antispyware tool for XP. As a result, the older Windows version is simply good enough for many users.

Wow, a compliment to Windows XP SP2 security!  However, we’ll count this as a (-1) for experts wrt Vista, but a +1 for Windows XP security.  Next, we hear from Gartner’s John Pescatore, who has typically be a hardcore skeptic when it comes to Microsoft security improvements:

“Upgrading to Vista is pretty expensive, not only the new software but often new hardware as well,” said Gartner’s John Pescatore. “If you put IE 7 on a Windows XP SP2 PC, along with the usual third-party firewall, antiviral and antispyware tools, you can have a perfectly secure PC if you keep up with the patches.”

Another compliment to Windows XP SP2 security!  [Also, note that he did not say “put Firefox on …”]  Still, it counts as a (-1) wrt Vista, for a running total of (-2) and another +1 for XP, which is up to +2.  Next, Pete Lindstrom chimes in:

“Vista is light-years ahead of XP from a built-in security perspective,” said Pete Lindstrom, a Burton Group analyst. “But the market will decide whether it is important. Note that there haven’t really been significant problems with the operating system lately, and our memories are short.”

I have to count “light-years ahead” as a +1 for Vista security, now back up to -1 total.  There also seems to be a sort of implied compliment to Microsoft and Windows in general in there for at least the recent past.  Moving on:

“The added security alone is not worth the money when comparing Vista with Windows XP SP2,” said Lambert, a member of CNET News.com’s Vista Views panel.

Another +1 for Windows XP and a (-1) for Vista security – now at +3 and -2 respectively.  But Chris Swenson, an NPD Group analyst, thinks that many consumers will prefer Vista’s built-in security features over adding defenses to their XP machine.

“A lot of customers will prefer to either buy a new machine with Vista or upgrade a recently acquired XP machine with Vista in order to get at this added layer of protection,” Swenson said.

Finally, a +1 for Vista Security, bring the running count back to -1.  Next we hear from “all experts” and specifically David Litchfield:

If you are in the market for a new Windows PC because your old computer is outdated or otherwise failing on you, Vista is your best bet, all experts agree. That’s even if you’re considering buying a Mac, said David Litchfield, a noted security bug hunter.

“If you’re looking to buy a new computer, the security features built into Vista tip the balance in its favor over other options such as Mac OS X,” Litchfield said. “We’ve moved beyond the days of lots of bugs and worms. Recent history shows that Microsoft can get it right, as they did with XP SP2. With Vista, they will again demonstrate that.”

With the “all experts agree” comment, I think we have to add a +2 for Windows Vista security, bringing the running count up to +1.  Also, it seems like Mac OS X gets a (-1).  Dan Kaminsky continues this trend, saying:

“To be clear, XP SP2 was a massive leap for Windows security. But XP SP2 was not the systemic, top-to-bottom, scrub-everything experience that Vista is,” said Dan Kaminsky, an independent security researcher. “XP SP2 secured the surface. Vista security goes much deeper. It’s a far bigger leap.”

Okay, relative to Vista, we’ll give Windows XP a (-1) and Vista a +1 for Dan’s comments, bringing XP down to +2 and Vista up to +2.  The final person quoted by CNET is Robert McLaws,

… a blogger who writes about Microsoft, is particularly gung-ho about Vista. He recommends that everyone buy a copy as soon as possible. “Security is the No. 1 feature in Vista, and everyone with a computer in the house should go out and buy it,” he said. [he goes on to later say]

“I don’t want people to expect that their computer is never going to be compromised because of Vista; that’s simply not the case,” McLaws said. “The nature of maliciousness on the Internet is changing rapidly. It used to be that nerdy kids were trying to outdo other nerdy kids. Now it is criminals.”

That seems pretty definitive and covers multiple computers, so I think Vista security deserves a +2 for that comment, but will moderate it to a +1 since Robert appears to be such a big Windows Vista supporter.

Final scores from the experts:

  • Windows Vista security:  +3
  • Windows XP SP2: +2
  • Mac OS X: -1

So, with a large mix of compliments for Windows XP SP2 security being the “downside” of why folks might not immediately migrate to Windows Vista for security reasons, I’m not clear how you get to the headline of experts saying don’t buy Vista for security.

However, it sure seems to be a positive acknowledgment of Microsoft’s Trustworthy Computing initiative efforts to improve security!

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »