Security Makes Crummy Case for Windows 7 Migration

August 18, 2010 Off By David
Grazed from Internet Evolution.  Author: Sean Gallagher.

On August 10, Microsoft Corp. (Nasdaq: MSFT) issued its biggest-ever set of “Patch Tuesday” security bulletins and fixes. Redmond posted 14 new bulletins, in addition to the bulletin posted August 2 after another vulnerability became public.

The good news is that only one of the potential vulnerabilities — nine of which were considered critical in nature — was public knowledge before Microsoft released the fixes. But there’s something interesting about the nature of the vulnerabilities announced in August’s 15 alerts: The majority of them affected nearly all of the currently supported desktop and server operating systems from Microsoft, including Windows 7.

That would be the same Windows 7 that Microsoft has been doggedly trying to convince business users to move to because of its improved security. But it turns out that Windows 7 isn’t all that much more secure than Windows XP and may even be less secure than the most up-to-date service pack of Windows Vista.

Among the 13 security bulletins that applied to Microsoft’s currently supported operating systems, 11 affected all of Microsoft’s supported versions of Windows, including Windows 7. One was restricted to Windows XP and Windows Server 2003 — a flaw in the MP3 audio codec that could be exploited to remotely execute code. Another, a flaw in Windows Movie Maker, was limited to XP and Vista.

To be fair, Windows 7 has had fewer critical vulnerabilities reported since its release than Windows XP. And one of the vulnerabilities out of the roughly three dozen uncovered in this batch was caused by a legacy codec for support of Windows CinePak video. But at the same time, the widespread nature of the other vulnerabilities demonstrates just how little some of the core pieces of Windows have changed since XP.

There’s not yet a lot of overall security data for Windows 7 to go on. But Microsoft’s last Security Intelligence Report, based on data ending in December 2009, found that the malware infection rate for systems running Windows 7 was actually higher than that of systems running Windows Vista SP2 — 2.8 systems per thousand executions of Microsoft’s Malicious Software Removal Tool, versus 2.2. But Windows 7’s rate of infection was lower than Windows XP Service Pack 3 by a bit more than half.

As with all statistics, there are underlying realities that are masked by these figures. The installed base of Windows XP is much larger, and the systems have been exposed to “the wild” for much longer, in general, than any system running Windows 7. So the probability of them being exposed to malicious software would be much higher.

There are a lot of good reasons to look at moving to Windows 7. But there are just as many reasons most businesses are still running Windows XP. The cost of migration, compatibility issues with some software, and the investment made in user and support staff training on an operating system add significantly more to the total cost of ownership that goes with upgrading to a new Windows version than a 0.4 percent difference in detected system infections.

And when the vulnerabilities being found in the new operating system are the same ones being found in operating systems that have been getting beaten on by users and hackers for almost a decade, that prompts the question: Exactly how much additional security do you get for the cost of having to upgrade, not just your operating system, but potentially many of your enterprise applications as well?

Personally, I’m using Windows 7 for productivity reasons (and because it came installed on my newer systems). But I don’t have any illusions of it being any more secure on its own than XP or Vista — unless by “more secure,” you mean “fewer system crashes."