July 2007 – Operating System Vulnerability Scorecard

Summer and work travel have really had an impact and I’ve missed a couple of months of scorecards, so last weekend, I decided to dig in and catch up to July.   I hit a few road bumps:

  • Sun changed their Security Alerts web site, making it a bit more challenging.  I gave up for now, but will try to add them back with subsequent scorecards. 
  • Novell, in a similar but different move, created a new psdb page for their version Enterprise Linux v10 SP1 products.  At first, I thought they had not released any patches since mid-June.  Nope.  Let me give you details.  If you want to see:

In addition, I wanted to add in the Red Hat EL 5 versions of client and server, since they’ve been available for over 3 months now, and that took some time as well.  Anyway, back in action now.

Here are the sections for this month:

  1. Year-to-date 2007 Client and Server charts for all vulnerabilities for
  • all shipping components of the products
  • May – July 2007 Client and Server charts for all vulnerabilities for
    • all shipping components of the products
  • Year-to-date 2007 Client and Server charts for vulnerabilities for
    • all shipping components of the non-Linux products
    • reduced set of components for the Linux products
  • May – July 2007 Client and Server charts for vulnerabilities for
    • all shipping components of the non-Linux products
    • reduced set of components for the Linux products

    Comments on the July Charts

    When I started doing these scorecards, I did two variations – year-to-date and last-3-months – thinking that the latter would reflect short-term bursts of issues and that the former would give an overall view for the year that would incorporate the ups and downs.

    Instead, the two versions of the charts seem to look very similar except for the numbers and scale.  This kind of hints that whatever vulnerability disclosure and fix rate a product has, it is staying pretty consistent over time, at least in 2007. 

    The other thing I find a bit interesting is the Server charts that incorporate the reduced set of Linux packages.  For those Linux server builds, I eliminated everything GUI, X11, Gnome, KDE-related, firefox and all optional client-type application components and just kept a minimalist server with the ability to server web pages or act in a few other common server roles.  In contrast, the Windows Server build includes every shipping component including Internet Explorer, Media Player and similar stuff.  I imagine that a lot of people would have expected a stripped-down Linux server to have, if not fewer total vulnerabilities, then fewer High severity vulnerabilities.

    Finally, if I had one surprise in the charts, it was that I expected RHEL5 to be further distinguished from (ie, much lower than) RHEL4 in the YTD charts, given that it did not ship until March.

     

    Year-to-date 2007 Client and Server Charts – Full Set of Supported Components

    image

    * RHEL Desktop 5 shipped in March, so only represents vulns since then

    image

    * RHEL 5 Advanced Server shipped in March, so only represents vulns since then

    May – July 2007 Client and Server charts – Full Set of Supported Components

    image

    image

     

    Year-to-date 2007 Client and Server Charts – Reduced Set of Linux Packages

    In this section and the next one, note that each of the Linux distributions analyzed do not include the full set of product components, as I went through a process to filter out optional and non-comparable components.  For more details on assumption and methods, please read review my methodology, sources and assumptions on this page

    image

     

    image

     

     

    May – July 2007 Client and Server Charts – Reduced Set of Linux Packages

    image

    image

    About the Author
    Jeff Jones

    Principal Cybersecurity Strategist

    Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »