Back on March 23rd, 
Robert Vamosi wrote a blog post in response to my Windows Vista - 6 Month Vulnerability Report, called Is Windows Vista the most secure operating system?
Very reasonably, Robert wants to check my report analysis against an independent source (and says): "Another way to look at the relative security of an operating system is to consult an independent source. We frequently cite vulnerability statistics from security vendor Secunia."
Robert proceeds to quote the "unpatched" numbers for Windows Vista, Windows XP, Sun Solaris, Mac OS X, and and Ubuntu (Linux), citing the numbers from Secunia.
If you clicked on the link in the article on March 23, you would have seen a little box similar to
the one at the left. I don't have an image of that box, but Mr Vamosi states that Ubuntu "scores a remarkable zero percent in unpatched vulnerabilities (0 of 61 Secunia advisories) over the lifetime of the product."
As you may have heard me say before, I understand why it is difficult for companies like Secunia to stay on top of disclosures for Linux distributions. I am not criticizing them for not performing a difficult job or having the resources to keep track of 500+ distributions composed of variations of thousands of components.
I also think it is understandable why Robert Vamosi would go to the product page, see that box, and conclude that Ubuntu had a "remarkable" track record. It is my opinion that many people would make a similar conclusion.
The Unpatched Numbers for Ubuntu on March 23, 2007
However, having been involved in vulnerability analysis for a while, I believe the actual numbers of publicly disclosed, but unpatched vulnerabilites in Ubuntu was a bit different than Mr. Vamosi found, so I did some data gathering and analysis myself to see what I came up with.
Don't just take my word for this, here are the details and how I got them. Please pick some individual examples and validate them youself. Normally, I don't track the versions for which vendors don't offer long-term/Enterprise support, but Mr. Vamosi's link pointed to Ubuntu Linux 6.10, so I've accumulated the data to look at the same version instead of 6.06 LTS. Here are the steps:
1. Look at each security advisory on http://www.ubuntu.com/usn. For the ones that affect Ubuntu 6.10, extract the list of vulnerabilities listed by CVE number and note the date when the advisory was issued.
2. For each vulnerability in the list, look at the entry on http://nvd.nist.gov and follow each reference to determine when the vulnerability was first disclosed. As a cross-check, you can check the disclosure dates maintained by Red Hat's Mark Cox at http://people.redhat.com/mjc/cve_dates.txt.
3. Look for the vulnerabilities that were disclosed prior to March 23, 2007, but fixed after that date.
Here is the list that I came up with (High 8, Medium 6, Low 15):
29 vulnerabilities disclosed before 3/23/2007 but unpatched until later
CVE-2007-0006 [severity=Low] disclosed on 12/21/2006 but not fixed until 4/10/2007 (usn-451-1)
CVE-2007-0455 [severity=Low] disclosed on 1/26/2007 but not fixed until 6/11/2007 (usn-473-1)
CVE-2007-0958 [severity=Low] disclosed on 1/26/2007 but not fixed until 4/10/2007 (usn-451-1)
CVE-2007-1380 [severity=Low] disclosed on 2/14/2007 but not fixed until 4/27/2007 (usn-455-1)
CVE-2007-0772 [severity=Low] disclosed on 2/19/2007 but not fixed until 4/10/2007 (usn-451-1)
CVE-2007-1308 [severity=Low] disclosed on 3/5/2007 but not fixed until 3/28/2007 (usn-447-1)
CVE-2007-1375 [severity=Low] disclosed on 3/7/2007 but not fixed until 4/27/2007 (usn-455-1)
CVE-2007-1376 [severity=High] disclosed on 3/7/2007 but not fixed until 4/27/2007 (usn-455-1)
CVE-2007-1496 [severity=Low] disclosed on 3/7/2007 but not fixed until 5/23/2007 (usn-464-1)
CVE-2007-1497 [severity=High] disclosed on 3/7/2007 but not fixed until 5/23/2007 (usn-464-1)
CVE-2007-1388 [severity=Low] disclosed on 3/8/2007 but not fixed until 5/23/2007 (usn-464-1)
CVE-2007-1667 [severity=High] disclosed on 3/9/2007 but not fixed until 4/18/2007 (usn-453-1)
CVE-2007-1521 [severity=Medium] disclosed on 3/14/2007 but not fixed until 4/27/2007 (usn-455-1)
CVE-2007-1484 [severity=Medium] disclosed on 3/16/2007 but not fixed until 4/27/2007 (usn-455-1)
CVE-2007-1592 [severity=Low] disclosed on 3/16/2007 but not fixed until 5/23/2007 (usn-464-1)
CVE-2007-1543 [severity=High] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)
CVE-2007-1544 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)
CVE-2007-1545 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)
CVE-2007-1546 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)
CVE-2007-1547 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)
CVE-2007-1583 [severity=Medium] disclosed on 3/19/2007 but not fixed until 4/27/2007 (usn-455-1)
CVE-2007-0238 [severity=High] disclosed on 3/20/2007 but not fixed until 3/27/2007 (usn-444-1)
CVE-2007-0239 [severity=High] disclosed on 3/20/2007 but not fixed until 3/27/2007 (usn-444-1)
CVE-2007-1560 [severity=Low] disclosed on 3/20/2007 but not fixed until 3/26/2007 (usn-441-1)
CVE-2007-0653 [severity=High] disclosed on 3/21/2007 but not fixed until 3/27/2007 (usn-445-1)
CVE-2007-0654 [severity=High] disclosed on 3/21/2007 but not fixed until 3/27/2007 (usn-445-1)
CVE-2007-1002 [severity=Medium] disclosed on 3/21/2007 but not fixed until 3/26/2007 (usn-442-1)
CVE-2007-1562 [severity=Medium] disclosed on 3/21/2007 but not fixed until 3/27/2007 (usn-443-1)
CVE-2007-1564 [severity=Medium] disclosed on 3/21/2007 but not fixed until 3/28/2007 (usn-447-1)
I anticipate that some readers will point out that about half of the vulns on this list were disclosed only a week or so before the 23rd. Granted, no argument. I'll happily just point to the other half, which makes the point just as well. With any data source, it is very important to have a good understanding and interpret with caution.
Regards ~ Jeff
Hi.
For some reason the '6months report' blog entry does not accept my comments. Therefore I wish to reenter them here.
To start with, I'm not a security zealot. I know little about security 'under the bonnet'. I usually 'use' these security features of operating systems.
Here I merely wish to highlight something that could improve the reception of the '6months report'.
As you maybe know, the differencies between Open Source and Windows start with the license. A user (whether it is a 'power user' or a 'complete newbie') of Windows is TOTALLY REFUSED the right to see what's under the bonnet. Therefore, the only people allowed to search for them 'bugs' are Microsoft. Which is SUBSTANTIALLY different with Open Source, where EVERYBODY can (and is even ENCOURAGED) to see the code and think about it. Which doesn't stop even the 'newbie' users from using it (see the response to Ubuntu on Dell campaign).
With this at start, the more into the woods, the more trees. I'm not going to write about things like obscurity, transparency, installation base, bug tracking and others, because these have been covered elsewhere by other people. But these add to the base mentioned above.
It is then safe to assume that Windows and OS user base is exclusively different from the security point of view. IOW, There is generally no people at Microsoft interested in (e.g.) Linux security and there is no people interested in Windows security among OS developers.
Based merely on that, it is completely mathematically, statistically inadequate to compare the 'absolute' numbers of vulnerabilities of included operating systems beside one another. The more differencies you find, the more inadequate it is.
I won't run into judging you, your bias or anything. This is just what is walking around my mind from the very start when I saw the '6months' report.
Hope I get my comment published this time.
Regards,
Lukasz
Post new comment