When it comes down to security vulnerabilities, volume is synonymous with increased risk for the end users. Microsoft has played the vulnerability counting game featuring its own operating system, as well as main rivals throughout 2007, ever since Vista has hit the shelves. Now, as Vista is approaching its first year of general consumer availability on the market, and has already passed the first 12 months, considering the release to manufacturing and the business launch in November 2006, Jeff Jones, Security Strategy Director in Microsoft's Trustworthy Computing group, has compared the latest Windows client with Mac OS X, Ubuntu and Red Hat Linux.
Jones stressed that the "Windows Vista One Year Vulnerability Report" was nothing more than a vulnerability analysis, but stated that indeed, with "all other things being equal", a small volume of security flaws
made it easier for a software developer to mitigate risks. Jones looked at all the vulnerabilities that impacted Vista, Mac OS X, and the Ubuntu and Red Hat distributions of Linux, but just in their respective first year on the market.
For Windows Vista, "Microsoft released 17 Security Bulletins and corresponding patches in the first year affecting components of Windows Vista, grouped so that there were 9 days in the year when Windows Vista security updates were released," Jones stated. "Microsoft fixed a total of 36 vulnerabilities, encompassing 9 Patch Events (I refer to those 'days when at least one update is released' as a Patch Event), in Windows Vista during the first year."
In terms of rival platforms, Jones set its sight first off on Red Hat Enterprise Linux 4 Workstation (rhel4ws). "When rhel4ws shipped on February 15, 2005, there were 129 vulnerabilities already publicly disclosed in shipping components prior to general availability. On ship day, Red Hat issued 27 security advisories to address 64 of them. During the first year of availability, Red Hat issued 183 security advisories/updates for rhel4ws. If limited to just Critical and Important issues, there were 88 released on 57 different days. During the first year of availability, Red Hat fixed a total of 493 vulnerabilities in rhel4ws," 214 of which were Critical, Jones stated.
|
According to Jones, by the end of the first year, Red Hat Enterprise Linux 4 Workstation, meaning the Linux operating system and all the adjacent components, had gathered a total of 575 vulnerabilities. Of course that the number of vulnerabilities is dramatically reduced when it is taken into consideration only the reduced component set of rhel4ws. In this context, Red Hat resolved just 360 vulnerabilities with another 40 publicly disclosed flaws remaining unpatched.
"Ubuntu 6.06 LTS had 53 vulnerabilities already publicly disclosed prior to the June 1, 2006 availability date. During the first year, Ubuntu issued 181 security advisories for Ubuntu 6.06 LTS. In the patches, Ubuntu fixed 406 vulnerabilities affecting Ubuntu 6.06 LTS. 160 of those fixed were rated High severity in the NVD. At the end of the one year period, there were at least 55 publicly disclosed vulnerabilities in Ubuntu 6.06 LTS did not yet have a patch from Ubuntu. Adding that to the 406 fixed, we get a total of 461 vulnerabilities," Jones revealed.
But for the Ubuntu 6.06 LTS - reduced component set, the number of security flaws also drops. In the first year of availability, Canonical issued 80 security advisories designed to patch 224 vulnerabilities. Another 18 vulnerabilities in the Ubuntu distribution of Linux remained unpatched and survived into the operating system's second year.
"Apple shipped Mac OS X 10.4 on April 29, 2005. During the first year, Apple released 17 security updates affecting Mac OS X 10.4, each on a different day. Those updates fixed 116 vulnerabilities in shipping components of Mac OS X 10.4. At the end of the one year period, a total of 41 publicly disclosed vulnerabilities in the product did not yet have a patch from Apple, so the total vulnerabilities disclosed for the product including fixed and unfixed was 157 vulnerabilities," Jones said.
At this point, it is important to underline the fact that Jones does not claim that the sheer volume of vulnerabilities is an illustration of the security level of the respective operating system. Also, it is relevant to note that Jones no longer integrated Novel SUSE Linux in the comparison, although the Novel distro of Linux was part of past comparisons.
"If it was possible to measure 'security' in one metric, it would have to encompass a complex combination of factors including (but not limited to) the software quality, administrative controls, physical controls, and much more - and even then, it would all be in the context of whatever security policy was defined for the systems in question. So, this is not an analysis of 'the security'," Jones stated.
