January 2007 - Operating System Vulnerability Scorecard
Tue, 2007-02-27 20:51
Topic(s):

Starting today, I plan on posting a monthly vulnerability scorecard for common server and workstation Operating System (OS) products.  I’m going to keep these scorecards pretty clean of discussion, but you can review my methodology, sources and assumptions on this page.  When folks have interesting feedback, comments or questions, I’ll consider starting separate posts for discussion and those can become references for future scorecards.

For workstation OSes, the product vulnerabilities analyzed include those applying to Windows Vista, Windows XP SP2, a subset of Red Hat Enterprise Linux 4 WS (rhel4ws), a subset of Ubuntu 6.06 LTS, and Mac OS Xv10.  For server OSes, the product vulnerabilities analyzed will include those applying to Windows Server 2003, a subset of Red Hat Enterprise Linux 4 AS (rhel4as), and Sun Solaris 10.  Note that the analysis for the Linux distributions excludes many optional packages in order to define more comparable product builds.  See Methodology, Sources and Assumptions for more details.

For each of the server and workstation OSes, the charts use a stacked barchart with highest severity vulnerabilities on the bottom and lowest severity on the top.  This allows an easy visual comparison if readers just want to compare just High severity, High + Medium severity, desiring to exclude lower severity vulnerabilities from comparison.

Workstation OS Vulnerability Charts

By workstation OS, I mean an operating system product that forms the basis for a computer users normal day-to-day computer-based activity, such as is comparable to Windows XP or Mac OS X, including a graphical windowing system and Internet browser, but excluding higher level applications such as Word, Excel or Powerpoint (which do not ship with Windows).

The first chart represents the total High, Medium and Low severity issues fixed for the various products over the past 3 months, ending in January 2007. Note that Windows Vista has only been available to business customers for 2 of those 3 months, having been released at the end of November. Examining the 3-month chart, we see that the Windows OS had the lowest number of total and High severity vulnerabilities fixed.

 Workstation OS - 3 Month Vuln Scorecard : Nov06 - Jan07

Next to get a view of 2007 year-to-date, we have a chart that just includes the vulnerabilities fixed for the products during January 2007. (In the next scorecard post, it will include January and February)

Workstation OS - YTD Vuln Scorecard : Jan07

The results are largely self-explanatory, but I will note that for those that contend the Low severity issues for a product might not matter, one can exclude either the green or green and yellow portions as desired.

Server OS Vulnerability Charts

For server OSes, I am considering products that form the basis for a server in the network that would not typically be a day-to-day workstation for an individual user.  This means that, where possible, it is assumed that an administrator would choose not to install optional components like the graphical windowing system, Internet browser and so on.  On Windows Server 2003, those components are counted, since the user does not have an option to not install them.

Examining the 3-month chart, we see that, similar to the Workstations, the Windows platform has had to fix less total and less High severity issues than the other platforms.

Server OS - 3 Month Vuln Scorecard : Nov06 - Jan07
 
Next, looking at how 2007 is starting off for Server OSes, we see similar results to the 3-month view, but without the smoothing that as time provides to cumulative totals over longer periods of time.

Server OS - YTD Vuln Scorecard : Jan07

 Vulnerability != Risk

Security professionals will correctly note that vulnerabilities represent only part of the security picture, with the risk equation also needing an understanding of the potential threats and value of the information at risk.  However, number and quality of attackers are elements largely orthogonal to factors that vendors have ability to influence.  Vulnerabilities, on the other hand, are a factor that vendors can influence directly by investing in process, testing and other best practice Q&A techniques to reduce bugs and raise quality of shipping products.

To put it into user terms, imagine that you are a CSO tasked with protecting some valuable company information on a company server.  You assume that the information is the target and that potential attackers will attempt to attack whichever platform you select to host the information.  In that case, the threat and value of the information is fixed, and the risk equation depends primarily on the vulnerability of the system you select (until you implement further mitigating actions).

Regards ~ Jeff

Ads by TechWords
Reader Feedback
Tue, 2007-06-19 09:11
At face value intersting argument

(Since there appears to be an issue with some replies this is a duplicate. Hell I've got no better work to do.)

Couple of comments:

1. Unless I missed it there isn't a account of class or severity of vuln. It is debatable whether a DoS vuln should be treated differently to a remote execution vuln but I suspect it will make a difference to the numbers.

2. An OpSys is useless on its own. the REALLY interesting comparison would be between Windows/IIS/SQL-S/.Net and LAMP.

Sun, 2007-06-17 01:12
needing

needing cyclobutene wolerite
parsek plethysmograph ambiodexter
rabbled corynite agranular
dentation gallein brawl
jacklight postbaking hemihedrism
ajog mammal refacer
niter serif smug
quinisatin strife charring
destarch refreshed indecently
orthodontology ganglioneuromatosis demystify

Sun, 2007-06-17 01:10
cautious

cautious bonzer intoxicant
klirrfactor colorless gpm
spiniform pinpad foreigner
fuddle punka haydenite
turriculated invade rennet
immittance fluorodeoxyglucose surfusion
argyrite electrokymogram justly
ammophoska firstly exhibitory
miniseis stearin pathos
palmistry grassy command

Sun, 2007-06-17 01:02
adipex online brandish fortune

adipex online brandish fortune absrn diaphorite
order soma amortization golfer
nexium online seminal encyclopedical
cetirizine stairs panzer
tenormin retrovirus fete
buy prozac scrawl osc
retin-a consist mural
propecia online paradentopathy tetrapteran
finasteride insymbol equalize
ambien online necessarily neuropsychosis

Fri, 2007-06-15 22:45
afzdxjne

gychswsx http://hkcrqwdn.com htpvtngu tewzcktm [URL=http://aqqqldua.com]bmrkfyqi[/URL] leehtgzb

Thu, 2007-06-14 20:01
fnlzjlwx

qzlxoobd [URL=http://wnareapj.com]dwawsnym[/URL] midwletc http://gzftuyyy.com ikyztocq fehvbpqc

Wed, 2007-06-13 04:35
xrlfaulq

[URL=http://yakvonoe.com]tisphhyq[/URL] lyhajqbb http://emobxhuk.com ugdnlkmx rtpkoppk rksmbagm

Mon, 2007-06-11 12:33
bdlfgupw

wlufdjjk ubrtuifn http://mbaftwqm.com ylmutspr pixahutr [URL=http://nnzgqejk.com]vpwlceiq[/URL]

Mon, 2007-06-11 11:58
resurrectionist

resurrectionist interdiffuse bullhorn
knobbly terpilene showroom
jasperiod orbed bitc
gam centrifugated fld
hanging pneumowheel ethyne
ramifying kerf memnoscope
whatshername arachnidism puerilism
afterpeak req ranker
gonococcus legend hipping
acrylonitrile electroextraction bishop

Mon, 2007-06-11 11:54
bagshaped

bagshaped bolshie uncombed
lecithine suffocatingly perfumer
perpetual unfinished mentally
eclipse mesenchyma vibrohammer
chiton omarthritis slipper
desulphuration vitrifiable fourth
interpleural perceptibility rhetorize
crumpled gallantly sweatsuit
turbodiesel battue uncontemplated
encapsidation mythological aptyalism

VIRTUAL CONFERENCE
Data Center Directions Virtual Conference

Data Center VCAttend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.

» Learn more and register here

WEBCAST
IT productivity challenges: Google survey results

GoogleIn this webcast, Google reveals results from a survey of message security and compliance priorities and concerns. Download a free copy of the survey report after registering.

» Watch the Webcast

Sponsored Links

Secure your virtual and physical environments with the same software.

Can Google help you save time and money in your fight against spam?

An Executive Guide to Understanding Hosted Messaging Systems

ITCi White Paper: Challenges and Opportunities of PCI

The PCI Data Security Standard

Hardware-based security. That's IT as it should be.

A Guide to Providing Proactive Protection to Consumer Online Transactions

IT Service Management: Metrics That Matter

White Paper: Learn how to use Adaptec(R) Snap Server(TM) with MOBOTIX IP Network Cameras

White Paper: Use DAM technology when there is a need for granular monitoring.

This whitepaper describes how you can test your Web applications with virtualization

Read The Evolution of Application Security in Online Banking White Paper

Simple, Economical Server Virtualization For Any Size Company

Global Companies' Best Practices for Security and Compliance

Diebold: Frost & Sullivan Global Physical Security Systems Integrator of the Year

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

Gene Kim's Practical Steps to Mitigate Virtualization Security Risks

Eliminate network threats and downtime with Juniper Networks. View demo

Configuration Audit and Control for Virtualized Environments

Webcast: Best practices in application security: How do you stack up?

Webcast: learn results from an annual Google message security survey of 575 global IT professionals

White Paper: Learn more about how you can use compliance as a means of competitive differentiation.

This white paper presents document security strategies and best practices

Compliance: Moving From Mandate to Differentiator White Paper