"Vista's most profile security feature"

Come on Joe, read your copy before you post!

Microsoft just cannot win with you Joe can they, first you go on about how insecure Vista is and how bad the UAC is, and now you go that " A surge in ActiveX and Zero Day vulnerabilities are indicative of a trend. As more attacks focus on applications, Microsoft will need to shift its security busywork into new areas."

You seem to be trying to have it both ways now !

Why are you so "anti" microsoft, and why did you take on this job, everyone who knows you says that you have this way. Article after article keeps on proving it.

If you hate microsoft so much why don't you work in "linux Watch" instead. As can be seen by some of the commenters here, they are Linux people.

I am not for microsoft per say I am just a normal pc user, but your attitude really does amaze me.

Microsoft Watch used to report the facts, you delight in making up your own articles, and or posing questions that either Linux or mac users jump at, so as to have a go at microsoft.
If they deserve it...fine. But a lot of time you are beating up stories, and it's not fine at all.

Joe, as an independent writer , you should not endorse the claim published by Symantec and Yankee Group.

Symantec have lose its focus in ant-virus business. Imagine an anti-virus company try to sell Veritas. Bashing Microsoft's security is the last resort that Symantec hopefully can boost its market share through FUD.

Yankee Group is even worst, it is a IT gypsy who try to predict future with unfounded theories.

I would rather listen to creditable vendors like F-Secure, Kapserky and Sophos

Again ,Joe, to some homework and try to publish some quality comments and views in future

Joe, don't put all the blames on Microsoft. I would say that the best OS in the world is still susceptible to virus damage as technologies of both anti-virus and anti anti-virus improve and evolve

I don't install any anti-virus in my home PC for the reason of speed. With prudent and cautious surfing , my PC has not been infected by virus so far.

Based on your assumption to draw a parallel view of road safety , everyone should be driving an armoured tank to avoid being hit

Joe , based on your argument and to draw a parallel view on road safety, everyone should then be driving an armoured tank to avoid being hit.

Microsoft should not be blamed solely on the security problem . As the technology of both anti-virus and anti anti-virus improve and evolve , the fighting is endless.

What is wrong to adopt the methods that published from the findings from academic publications ?

What is wrong if Vista security is based on WinXP SP2.If security of WinXP SP2 fails , then at least we can learn from mistake.

It is better to learn to fall and get up rather then trying nothing at all.

Joe, you cann't even master some basic advises to kids on experience learning .. Poor Joe

You should start to learn to crawl again

John,

Yankee Group's research isn't connected to the documents Symantec published today. We have published no "claims" of the kind you suggest. Joe asked me for my comments on Symantec's materials, which I was happy to give.

Now, as for Yankee Group being a "gypsy," I don't know how to respond to that other than to express puzzlement that DRAT! our spell has been broken. Curses!

Seriously though, our job is to make sense of what's going on in technology markets -- in my case, security. We aren't reporters; by definition, we are always looking ahead. That is what our customers expect.

If you are a Yankee Group customer and would like to take me to task about something we've gotten wrong, call me. If you are not a Yankee Group customer, shoot me an e-mail and I'll send you a copy of some of our "unfounded theories" -- and you can judge for yourself. Fair?

Regards, Andrew

Andrew,

I don't really think that either Gartner, Yankee , Forrester provide accurate and unbias recommnedation and evaluation to the current IT trend. They are just not up to the mark. They are vendor supported whitepaper publisher only

For example :
http://www.businessweek.com/the_thread/techbeat/archives/2005/04/the_truth_about_1.html

We are know that Laura DiDio of Yankee Group put a lot of good blessing in Microsoft product. She became famous as she claimed reading through the linux source code in SCO Unix case although she is neither a network engineer nor a programmer but she start to write evaluation ..

Only those IT-illiterate CIO will study their reports as they are lazy to do their homework.

Why not we arrange a debate between Laura and Joe as they represent two extreme end --Microsoft versus Non-Microsoft

"Most secure Windows ever" is like saying "cleanest pile of dung ever". It doesn't really help to be more secure than the last version if security is still a joke.

One thing I fail to understand is Jaquith's claim that "Vista reduced the threat of malware by over 95 percent compared to XP,"
Well.. yeah. Vista broke all backwards compatibility, so obviously testing with XP-targeted malware, I'm sure only 5% are Vista-compatible. But how does this tell us anything about what the Vista malware landscape will look like in 6 months or a year?
How does this claim give the reader anything but false expectations about Vista security?

Try the same test on just regular XP-compatible Windows applications and you'll pretty much get the same figure.

I agree that Symantec may be overhyping this for their own monetary gain, but honestly 'Windows' and 'security' don't even belong in the same sentence. All MS has been doing for ages is playing catch-up and patching flaws as they appear, they have been faaaar too busy creating encrypted DRM schemes to please Hollywood than do anything to solve their own security problems and I think Symantec et al. are pretty safe in pointing this out.
It's akin to predicting the sun will rise tomorrow.

And to poster amytan above,
"I would say that the best OS in the world is still susceptible to virus damage as technologies of both anti-virus and anti anti-virus improve and evolve"

Then please explain why Microsoft's OS seems to magically be the only one that's affected on a large scale by these things. It's a matter of degree here, Windows isn't just susceptible to viruses, it's UNBELIEVABLY susceptible to viruses. Don't even talk to me about 'enhanced Vista security' when the first 200 zero-day exploits are already selling to the highest bidder on the black market.

This evolution of virus and anti-virus technology of which you speak is completely, totally and solely a Microsoft problem. Ask yourself why they haven't been able to solve this problem in over a decade now.

John:

It sounds like your beef is with Laura, not with me. Laura is a colleague of mine, and we collaborate frequently. However, we cover different things and have our own perspectives on those things. That's the way it's supposed to work. It's your prerogative to make a broad statement about analyst firms because of somebody you clearly don't like. But I don't see how that helps your argument in this specific case.

textureglitch:

The 95% figure was a summary statistic based on data from the Symantec report ("Security Implications of Windows Vista"), page 11:

"'The results [of testing legacy XP malware samples] showed that 3 percent of backdoors can successfully execute and survive a system restart on Windows Vista without modification. Other categories include keyloggers, of which 4 percent can successfully execute and survive a system restart, mass mailers(4 percent), Trojans (2 percent), spyware (2 percent), and adware (2 percent)... As expected, no kernel-based rootkits were able to successfully install themselves. This can be attributed to the fact that a reduced set of privileges are used to run user applications by default.'

Read it for yourself: http://www.symantec.com/avcenter/reference/Security_Implications_of_Windows_Vista.pdf

Because Symantec is, in fact, engaging in "opposition research" with these reports, it would be in their interest to show a high percentage of successful malware samples. That it isn't higher than a few percentage points for each class of malware suggests that the 95% figure I cited (which was, in my opinion, the hidden "headline" in the Symantec report) is a reasonable summary of Vista's effectiveness at blocking XP malware. To keep my comments simple, I spotted Microsoft a few percentage points and rounded to 95%.

Will Windows malware writers adapt? I agree with you that they will. That was the basis of the "weak knee" comment to Joe. In fact, we (Yankee Group) published a research report ("Microsoft's Vista Won't Stop the Windows Security Aftermarket") about a year ago making the exact same point.

Makes you wonder if the security companies start employing some black hats... If you know what I mean.

Oh, and Neil I think Joe likes to play devils advocate. It would be a boring blog if all he did was say how great and wonderful Microsoft is. We already have a Paul Thurrott, and one SuperSite is enough. (I just know you would love that site Neil)

Andrew:

I am glad that you have Ms Laura Didio as your colleauge.

http://en.wikipedia.org/wiki/Laura_DiDio

Wow. Laura DiDio sounds like a total jerk.

She's either willfully ignorant about all the companies making money from open source software, or she has an obvious agenda.

If she's living in the hypercapitalistic society she claims she is, then how does she explain the vast, vast amounts of money people donate willingly to charities?
There's nothing in it for them.

And what about universities disclosing all of their research results to everyone on the planet so that they can build on it and further human knowledge?
Certainly every Nobel Laureate must be the must stoned hippies in the world!

By her reasoning, science wouldn't exist in a capitalistic society. Now who's living in an 'alternate reality'?

Open source isn't even altruistic, it's just egocentric on a different level than proprietary software. When I contribute to an open source project, I directly benefit from it. And so does everyone else working on it.
The only difference is that the financial benefit is indirect.
You have to have a bigger perspective than Laura has to see that projects like Apache and Linux have benefitted every webhosting company directly and financially.

How any serious analyst can hold a software company responsible for the success of social engineering is beyond me. If you made something so secure that social engineering couldn't work I doubt the application or OS would be usable.