For the March vulnerability scorecard, I have only two charts instead of four, since the past 3 months and the year-to-date time periods are identical.
Note that each of the Linux distributions analyzed do not include the full set of product components, as I went through a process to filter out optional and non-comparable components. For more details on assumption and methods, please read review my methodology, sources and assumptions on this page.
Links to previous scorecards:
- January 2007 - Operating System Vulnerability Scorecard
- February 2007 - Operating System Vulnerability Scorecard
For each of the server and workstation OSes, the charts use a stacked barchart with highest severity vulnerabilities on the bottom and lowest severity on the top. This allows an easy visual comparison if readers just want to compare just High severity, High + Medium severity, desiring to exclude lower severity vulnerabilities from comparison.
Workstation OS Vulnerability Charts
Workstation OS means an operating system product that forms the basis for a computer user's normal day-to-day computer-based activity, such as is comparable to Windows XP or Mac OS X, including a graphical windowing system and Internet browser, but excluding higher level applications such as Word, Excel or Powerpoint or equivalents.
The first chart represents the total High, Medium and Low severity issues fixed for the various products over the past 3 months, ending in March 2007. Examining the 3-month chart, we see that Windows Vista had the lowest number of total and High severity vulnerabilities fixed. Mac OS X, which had a low values on the February scorecard surged upward due to patches released in March.
Server OS Vulnerability Charts
For server OSes, I am considering products that form the basis for a server in the network that would not typically be a day-to-day workstation for an individual user. This means that, where possible, it is assumed that an administrator would choose not to install optional components like the graphical windowing system, Internet browser and so on. On Windows Server 2003, those components are counted, since the user does not have an option to not install them.
What's Not Covered
Security professionals will correctly note that vulnerabilities represent only part of the security picture, with the risk equation also needing an understanding of the potential threats and value of the information at risk. However, number and quality of attackers are elements largely orthogonal to factors that vendors have ability to influence. Vulnerabilities, on the other hand, are a factor that vendors can influence directly by investing in process, testing and other best practice Q&A techniques to reduce bugs and raise quality of shipping products.
To put it into user terms, imagine that you are a CSO tasked with protecting some valuable company information on a company server. You assume that the information is the target and that potential attackers will attempt to attack whichever platform you select to host the information. In that case, the threat and value of the information is fixed, and the risk equation depends primarily on the vulnerability of the system you select (until you implement further mitigating actions).
Additionally, some folks have pointed out correctly that to get a full picture of vulnerabilities, one also has to look at disclosed issues that have not yet been fixed - as I did in my Windows Vista - 90 Day Vulnerability Report. This is true. However, since disclosed, but unfixed issues are harder to keep up-to-date accurately (until a vendor acknowledges the issue with a fix), I will begin publishing a separate, less frequent scorecard specifically for that metric over past periods.
Regards ~ Jeff
