You have to expect that Microsoft will bang its own drum in its twice-yearly Security Intelligence Report based partly on figures from its monthly Patch Tuesday updates, which apparently always scan your working memory for malware, notifying you of any it finds and harvesting threat data from hundreds of millions of machines a month. You'd also expect hard-bitten hacks to have their bullshit detectors set to hair-trigger when they report it.

But given the flak Vista has received, and the popular view that XP Rules OK, we are bound to report that the much-maligned later version of Windows emerges as a lot more secure.

Of browser-based attacks targeting XP machines in the second half of 2008, 40 percent exploited Microsoft vulnerabilities and 60 percent third-party software; on Vista machines, just 5.5 percent targeted Microsoft software and 94.5 percent third-party software (including Apple's Quicktime). The implication being that properly coded Vista applications are harder to exploit.

In fact operating system exploits  account for only 8.8 percent of the total, including non-Microsoft products; browser based vulnerabilities account for 4.5 percent and the rest stem from application software. This is reminiscent of Microsoft's oft-repeated complaint that it is forever getting blamed for the malfunctions of third-party programs and (especially) drivers.

The headline news is the rise of scareware which warns of non-existent threats in order to con you into downloading rogue code. One interpretation of this is that  cybercriminals are finding it easier to target human rather than computer vulnerabilities.

Human vulnerabilities include the failure to have automatic updates switched on. More than nine in ten attacks on Microsoft Office exploited a flaw for which a patch had been available for more than two years; in the case of Office 2000, every single attack affected people still running the original version without updates.

There has also been a significant increase in attacks exploited documents using Adobe's .pdf format.

Cliff Evans, head of security and privacy at Microsoft UK, said it is more important than ever for people to keep their anti-malware software up to date and enable automatic updates where possible.

Microsoft is discontinuing its own OneCare security product at the end of June and will release a new free product codenamed Morro later this year. This will have some elements of OneCare and others may be subsumed into the operating system says Evans.

One question hanging over the industry is whether Apple and Linux machines will get targeted more by malware as their user numbers increase. Apple's Safari browser was cracked in two minutes by a contestant in a hacking competition in Canada recently. Firefox and Explorer were cracked too but it shows Mac users can't afford to be smug.

Evans said he believes Vista is in many ways more secure than the MacOS but more potential for attacks on Windows machines because there are more of them. Windows is also better supplied with a patching infrastructure and anti-malware products.

He added: "I know some people argue that there is security in obscurity, that the more obscure the product you use the less likely you are to get hit; but I don't think that is going to take you very far."

Incidentally Evans tells me something I didn't know before... that Microsoft has a free helpline for users hit by malware. Well, sort of free: it's on 0870 6010100, which can cost you up to 10p a minute with some telcos. though BT includes it in its free-call packages.