REDMOND, WA — Vista may be flawed, but at least it’s not as flawed as other operating systems. That’s Microsoft’s story anyway, and the company is sticking to it.After completing an analysis of the patches and security updates Vista required during its first year on the market, Microsoft last week released a report in which Security Strategy Director Jeff Jones noted that Vista displayed fewer vulnerabilities than XP, Red Hat rhel4ws, Ubuntu 6.06 LTS, and Mac OSX 10.4 did in their first years. Vista required only 17 security patches and 36 vulnerability updates compared to XP’s 30 and 65, respectively, according to Jones. Thirty flaws remain on the workbench in Microsoft’s Trustworthy Computing division, compared to the 54 that remained at the end of XP’s first year, he wrote in the report.

The report also noted that Red Hat rhe14ws exhibited 360 flaws in its first year, Ubuntu 6.06 LTS exhibited 224 and Mac OS X 10.4 exhibited 116.

“The results of the analysis show that Windows Vista has an improved security vulnerability profile over its predecessor,” Jones wrote in the report. “Analysis of security updates also shows that Microsoft improvements to the security update process and development process have reduced the impact of security updates to Windows administrators significantly compared to its predecessor, Windows XP.”

However, measuring the security of operating systems requires more than just a simple comparison of relative exploitability, according to the founder of security consulting firm Securosis LLC.

Vulnerabilities “are only one factor in a risk measurement, and alone [aren’t] a true measure of risk,” Rich Mogull told CMP Media’s enterprise security e-zine Dark Reading. “That’s what drives this ‘my OS is better than your OS’ pissing-match garbage.

“I think a measure of vulnerabilities with criticality mapped to exploitability mapped to active exploits is a more interesting metric,” Mogull continued. The report indicates Vista “is quantitatively more secure, but not that it’s quantitatively less risky — what I call security versus safety. IT managers need to know the overall risk assessment, which includes that data as well as other information sources.”

He also conceded Microsoft’s “Trustworthy Computing Initiative has resulted in material improvements in the operating system, and other OS vendors should adopt similar practices.”