Microsoft is taking steps to improve its security model with each subsequent release of Windows. However, it's support for backward compatibility and legacy code tie it back from setting the highest possible security settings as default. Not to mention, some things are just limited by design like ASLR on 32-bit is weaker compared to 64-bit. This research focus on Microsoft's own products but if one includes 3rd-party software, things become even messier as some ISV still have yet to adopt mitigation techniques. Fortunately, those who are keen on Windows hardening can change and tighten settings like ASLR,DEP, IE EPM within Windows itself and tools like EMET provides even more useful security features not yet baked into the OS. Far from perfect but coupled with updates, things are better than they used to be. Related: http://www.welivesecurity.com/2014/02/11/windows-exploitation-in-2013/ http://www.welivesecurity.com/2013/12/13/exploit-protection-for-microsoft-windows/ http://blogs.microsoft.com/cybertrust/2010/09/21/isv-adoption-of-mitigation-technologies/ http://www.zdnet.com/article/report...rograms-responsible-for-most-vulnerabilities/ http://www.av-test.org/en/news/news-single-view/adobe-java-make-windows-insecure/