Microsoft has flatly rejected claims that Vista is as vulnerable to security flaws as the eight year-old Windows 2000.
Last week, security vendor PC Tools came up with figures for the relative numbers of vulnerabilities suffered by Windows 2000, XP and Vista, using reports from its ThreatFire user base. XP came top for vulnerabilities, suffering 1,021 over the last half year or so, with Windows 2000 on 586, and Vista on 639.
According to a new blog by Microsoft's Austin Wilson, the company's own figures for Vista compiled from its Malicious Software Removal Tool (MSRT), the tool cleaned malware from 44 percent fewer Vista systems than from Windows 2000 SP4 PCs, and encountered 77 percent fewer infections than on Windows 2000 running SP3.
The figures for XP were similar, with Vista systems being found to be infected 60.5 percent less often.
"Recently there have been some questions raised about the susceptibility of Windows Vista to malware - specifically, that it's more susceptible to malware than Windows 2000. I'd like to show why we reject that claim," writes Austin, himself and experienced engineer and author.
Note, however, that the two companies use different measurements, with Microsoft counting real infections, and PC Tools counting software vulnerabilities, which might or might not have been exploited. PC Tools' figures were per 1,000 machines while Microsoft's figures refer only to the fact that they were culled between June to December 2007 and based on "450 million executions of the Malicious Software Removal Tool (MSRT) every month."
Which is the more meaningful of the two depends on how you interpret the figures. Real infections gives an idea of an operating system's vulnerability at a specific point in time, but does not take account of user behaviour or what protection systems were in place, both important qualifications. Vulnerabilities tell the world more about the security-mindedness of programmers writing for a platform.
So both sets of figures are probably no more than indicative that all three platforms have a problem, that perhaps Vista has fewer users, and is too new to have suffered the same level of vulnerabilities. Equally, Vista is likely to be better than 2000 or XP relative to the same types of threats because it would be hard for it to be worse than two obsolete or near-obsolete operating systems.