Based upon Debian, Ubuntu has cool release names like “Warty Warthog”, “Hoary Hedgehog”, “Breezy Badger” and “Dapper Drake” and is certainly the current fair haired Linux. Warty Warhog, aka Ubuntu 4.10, was the first release in October 2004. Dapper Drake, released on June 1 of this year added Ubuntu to the ranks of Enterprise Linux with Ubuntu 6.06 LTS (Long Term Support), committing to supporting that “snapshot” of components for 3 years on the desktop version and 5 years on the server. In comparison, Red Hat and Novell both provide 7 years of security updates, but only to paying support customers. Ubuntu updates are free to paying and non-paying users.
So, how does Ubuntu Linux stack up after it’s first 90 days in customer hands? Let’s see… we’ll look at the security advisories on http://www.ubuntu.com/usn and see what can be seen.
Days til First Security Patch
Assume you deploy the product on the first day of availability – how long before you have to apply a security patch? Dapper Drake’s official GA date is June 1. It appears that Dapper users got seven patch-free days until on June 8, when three security notices (usn-289, usn-290 and usn-291) addressed 7 vulnerabilities. 3 of those vulns were High severity and remotely exploitable, as rated by http://nvd.nist.gov. All 7 vulnerabilities had been publicly disclosed before the product was released. This brings us to another question – was that all of them? How many were public before release? First, let’s look at the basic totals.
Basic Vulnerability Counts
Between June 1 and September 1, Ubuntu released patches to address 93 unique vulnerabilities in Dapper Drake, averaging just over one per day. 36 of the vulnerabilities were rated High severity by NVD and 31 of the 36 were also remotely exploitable.
Next, I also calculated a Workload Vulnerability Index for the 90 day period, as defined by NIST and similar to that introduced by Mark Cox in Red Hat RHEL4 Risk Report. I did use the NIST ratings rather than vendor ratings, necessary in this case since Ubuntu does not provide a severity rating. Translating vulnerabilities to a single VWI score for the 90 day period, we get ((36) + (19/5) + (38/20)) / 90, or a VWI score of 0.46 weighted vulnerabilities per day. Loosely, this translates as the equivalent of 1 High severity vulnerability every other day.
Publicly Disclosed before Release
Based upon the public disclosure dates for the 93 total vulnerabilities, 25 of them were already publicly disclosed before the GA of Dapper Drake. This indicates that the Ubuntu team does not have a policy of fixing all known security vulnerabilities before product release. This is consistent with other Linux vendors, as they all release products with known, disclosed vulnerabilities.
So, how did Ubuntu do during their first 90 days? Compared to Linux leader Red Hat Enterprise Linux 4, they did pretty good – in fact, better in every category I could measure. Here is the final chart that shows Dapper Drake, RHEL 4 AS and Windows Server 2003 stats for their respective first 90 days of availability.
So, that gives us a peek at the first 90 days of 3 operating systems and some various measure for how they did from a security vulnerability point of view.
Let me know how you interpret this data.
Regards ~ Jeff