Nor, said Pescatore, should all of Microsoft's conclusions be taken as gospel. "Patch events," which both Jones and Wilson cited, is a good example.
According to Microsoft, patch events is the number of times a company has to activate its patch management process because a vendor has issued a security update. Jones, for example, contrasted Vista's 9 patch events in its first 12 months with XP's 26, although as he acknowledged, XP's events were spread across more days because Microsoft had not yet moved to a monthly patch schedule.
"Patch events don't take into account the days spent making sure an enterprise's applications will work once a patch is deployed," countered Pescatore.
And just as a vulnerability on one OS shouldn't be equated with one on a different OS, patch events aren't comparable, either. "It's a fact that when 'Patch Tuesday' comes around and there are critical Windows patches, you have to start calling overtime. With other products, [those patches] can wait until the end of the month," Pescatore said.
But while he questioned some aspects of Jones' report too, nCircle's Storms gave Microsoft an "A" for effort. "It's worth Microsoft's time to do this, and talk about Vista like this, on a marketing level and on a public relations level. They've come leaps and bounds in communicating [about security] with the public.
"They're actually putting together numbers and releasing them," Pescatore said. "That's hard to find among OS vendors."
Jones' report can be downloaded from the Microsoft site download the pdf.