After a year on the market, Vista has had fewer security vulnerabilities discovered than XP did in its first year. According to a post on the Windows Vista Security blog, Vista has had 36 fixed and 30 unfixed security vulnerabilities, compared to 68 fixed and 54 unfixed vulnerabilities in XP. Patches have been issued on 9 occasions so far with Vista, compared to 26 for XP.

The number of vulnerabilities is not the only thing that Microsoft is boasting about. Not only have there been fewer flaws, but those flaws have—according to Microsoft's own categorization—been less severe than those XP suffered. This is because of Vista's "defense-in-depth" approach to security. Two features in particular are credited with the improvement; IE Protected Mode, and User Access Control. Together, these mean that even when malicious code runs, it can't do the damage that it would do on XP. 13 vulnerabilities had their impact assessment lowered by this extra protection: 12 by UAC, one by protected mode.

This apparent success might redress some of the criticisms that have been leveled at UAC. During Vista's beta period, it was widely derided as annoying and intrusive, and although it was streamlined a little for release (and will see further refinements in Service Pack 1), it is still felt by many to be sufficiently irritating to disable. Its ability to mitigate security vulnerabilities, however, means that it's worth paying the price of annoyance. UAC doesn't make the security flaws disappear, but it does make them much safer. In the words of Austin Wilson, director of Windows Client Security Product Management and author of the blog post, "This is a great illustration of the importance of User Account Control and why we included it in the product".

So it looks like Microsoft's commitment to security is paying off; Vista has fewer security flaws, and those flaws it does have are often mitigated by its new features. As Wilson wrote, "Windows Vista is proving to be the most secure version of the Windows to date."

Nonetheless, the reception Vista has received among corporate customers remains lukewarm. With fewer vulnerabilities and fewer patch events, Vista should be more attractive to those corporate customers. So it is perhaps no surprise that the blog post contains a healthy dose of propaganda. A report commissioned by Microsoft extols the TCO reductions that Vista can provide for mobile computer users—$251 a year in savings, if all the best practices are followed.

TCO savings are always welcome, but convincing enterprise IT departments to give up on tried and true Windows XP (and in many cases, Windows 2000) has proven to be a tough task. The "wait for SP1" mantra has long been a core tenet of Windows administration—with its improved security and SP1 just around the corner, Microsoft will be hoping that Vista will finally get the corporate buy-in it deserves.