Windows XP vs Windows Vista Security

So, a couple of days ago, I happened upon the tantalizing headline of Review: Vista, XP Users Equally At Peril To Viruses, Exploits.  What!?  As you can imagine, the headline sucked me in and I had to read it.

Frankly, the article as well as the scientific rigor of their testing “failed to impress.”  Take this phrase: “Vista remains riddled with holes, despite …” 

Where does that come from?  I mean, Microsoft has fixed 12 vulnerabilities in Windows Vista in the first six months of availability compared with (for example) the 60 vulnerabilities Apple had to fix in Mac OS X Tiger in it’s first 6 months or the 281 vulnerabilities Red Hat had to fix in RHEL4WS.  Riddled indeed.

I was all ready to do a serious “fact checking” rebuttal today, when, I find I do not have to, courtesy of Ars Technica.

Here is the original CRN article:

Review: Vista, XP Users Equally At Peril To Viruses, Exploits

… and here is the Ars Technica review of the CRN testing …

Windows Vista no more secure than XP: report

And here are some of Ars Technica insights that I agree with:

The report faults Vista for “providing no improvement in virus protection vs. XP,” but of course Windows Vista does not ship with antivirus software—something the reviewer fails to mention.


CRN doesn’t tell the whole story with such exploits, however. IE7 in protected mode forces such scripts to run at a very restricted user privilege level, unlike XP which will allow those same scripts to run at the same privilege level as a user. Vista may let some of those scripts through, but the damage they do is also mitigated to a certain extent. This is why Microsoft believes such threats will have to evolve to survive with fewer rights and less access to the system: if they get through, they will find a very limited sandbox to play in. CRN’s coverage complete ignores this point and fails to test for its effectiveness 


It was also disappointing to see CRN completely ignore the issue of buffer overflows, which has been addressed well in Vista by most accounts. This was a major weak spot with XP, and so far, Vista looks strong in this area, strong enough that Vista may never get its own “SQL Slammer.” Why CRN didn’t address this is a mystery, as it is no minor matter. 


In all, the CRN report finds that Vista was as good as XP in seven categories and better in four others (notably, Spyware/Adware, Obfuscated Code Exploits, RDS Exploits, and Trojans). Importantly, it was never outperformed by XP, and just as importantly, these tests were carried out using default settings. The scripting exploits, for instance, are largely defanged by tweaking IE7’s zone settings, and there are other moves that a competent IT shop would undertake to make Vista more secure before releasing it to Joe User. And again, CRN didn’t measure the effect of these exploits, which ignores a big piece of the overall security overhaul in Vista. 

The final thing I would add as important context is that they clearly compared Windows Vista with Windows XP SP2 – a release that was a specially focused project to improve the security on Windows XP.  (I wonder how the comparison would go if they compared with Windows XP Gold?) 

Worst case, I take the CRN review more as a pat on the back for Windows XP SP2 security than as a black eye for Windows Vista, but as an extensive user of both, and based upon security alone, I would never give up Windows Vista and the ability to:

  • Use bitlocker to mitigate my risk for stolen laptops/hard drives
  • Set parental controls for my children and ensure they have a safer computing experience
  • Protect my PC from annoying additions to my “startup” with Windows Defender (among other things)
  • Have all of my users run as non-admin by default via UAC capabilities
  • Have a easy-to-use periodic backup method that, once configured, just does the job of backing up my important stuff

Regards ~ Jeff

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »