US CERT has released its annual summary of vulnerabilities for 2005. Per their bulletin:
"There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities."
At first glance, one might conclude that Windows is more secure than Unix/Linux. This information is terribly misleading, however. I'm not going to dispute that conclusion, but simply argue that this data doesn't lead to it.
Start looking at the list of *operating system* vulnerabilities:
Windows:
- 3Com 3CDaemon Multiple Remote Vulnerabilities
- 7-Zip Arbitrary Code Execution
- Acidcat CMS SQL Injection Vulnerability
- Adobe Acrobat and Reader File Discovery
Notice that none of these conditions are actually related to the Windows operating system. They are *application* vulnerabilities. The fact that these applications run only on Windows doesn't change the fact that they are not vulnerabilities in the operating system itself. The same issue applies to the Unix/Linux category:
- Apache Insecure Temporary File Creation
- Asterisk Voicemail Unauthorized Access
- Bugzilla Private Summary Disclosure or Flag Modification
I'm not saying that there aren't any OS vulnerabilities in these lists. They're there. I'm just disappointed at the lack of attention to detail in drawing conclusions on this data.
I hate to complain about something without offering an alternative. A better way to summarize this data would be:
- Add up the true OS vulnerabilities (Linux Kernel, DCOM, etc)
This one is fairly obvious. It's a valid data set, if you put the right data into it. Although there are a lot of people who seem to think that if the OS vendor distributes an application, then it's an OS vulnerability, e.g. IIS, MS Telnet, etc. That's a different post, however.
- Take the OS-specific application vulnerabilities and figure them as a percentage of the total software available.
Simply adding up the number of OS-specific application vulns isn't particularly valid. The quantity of software available for each OS differs greatly and should be taken into account. So a percentage would be more accurate, e.g. 30% of Windows applications have vulnerabilities. The 'Unix/Linux' category is far too large. I think AIX, FreeBSD, and OpenVMS are sufficiently different as to not be in the same category.
- For both categories, add the 'time to patch' information.
It would be interesting to see this vulnerability data along with the average time to deliver a patch.
Those three points of data are much more useful than the flawed summary provided by US CERT.
Comments (1)
If I had my wish list, the second category would be further broken down in a few ways:
1. Commonly installed software vulnerabilities
Not OS-specific, but the most commonly installed applications regardless of OS platform: Acrobat Reader, MS office, Open Office, Notes, etc.. This gives a good view of how well the "Top X" development labs are doing.
2. By application type
Allow you to compare apples to apples in the product spaces. Which browser had most vulns (no brainer). But which Blogging software, or discussion group had the most vulns? Which shopping cart program had the fewest?
3. Add the applications which have had 0 (zero) known vulnerabilities.
This should be just as important than who is the crappiest programmer - especially if it's a widely used app.
I'm sure I could come up with a truckload more ways to analyze the data.
One of the most frustrating things about data analysis is that until you actually look at it in a different way, you can't truly determine if there is value in looking at it in that manner.
Posted by Gord Taylor | January 5, 2006 11:25 AM
Posted on January 5, 2006 11:25