Danish vulnerability research company Secunia has said there were more flaws reported for Red Hat operating systems than for Microsoft operating systems in 2007.
In a paper entitled Secunia 2007 Report that was made available to Secunia customers on Monday, the company compared last year's vulnerability reports for five operating systems: Microsoft Windows (98 and onwards); Mac OS X; HP-UX 10.x and 11.x; Solaris 8, 9, and 10; and Red Hat (excluding Fedora).
The company found that Red Hat had the most reported vulnerabilities out of those operating systems, with 633 flaws. Solaris had a total of 252 vulnerabilities, while Apple Mac OS X came third with 235. Windows came fourth with 123, while HP-UX had 75 reported flaws.
However, Red Hat Security Team director Mark Cox denied that the vulnerability count was as high as 633 for Red Hat, instead claiming 404 vulnerabilities in 2007.
"Secunia released a security summary report for 2007 and surprisingly gave a count for Red Hat for the year at over 600 vulnerabilities," said Cox. "I've no idea how they got to this number, it certainly doesn't match our metrics. For every Red Hat product and service for 2007 we issued 306 advisories to fix 404 vulnerabilities. Of those 404 vulnerabilities 41 were critical."
Most people would not be using every Red Hat product, said Cox. Taking just Red Hat's Enterprise Linux product, there were 48 vulnerabilities, of which 27 were critical, Cox said.
Cox added that a raw count of vulnerabilities "isn't much use and is only a small part of the overall risk exposure in using a product".
Secunia said that while Red Hat had more reported vulnerabilities than Windows, it was not possible to compare its relative security with Microsoft products, or comment on the relative security of open-source versus proprietary products based on vulnerability figures.
"It's impossible to make a fair comparison — it's like comparing apples to oranges," Thomas Kristensen, Secunia's chief technology officer, told ZDNet.co.uk. "Red Hat has the highest number of applications included, so the number of vulnerabilities that affect it is bound to be higher."
Red Hat contains two different browsers and graphic interfaces, as well as a number of PDF readers and image editors, said Secunia. Red Hat, HP-UX and Solaris can be used as servers, so include and support a large number of third-party components, while "the same cannot be said of all versions of Windows and Mac OS X", Secunia explained.
"Web servers, database servers, archiving tools, office productivity suites — there's two of everything when it comes to Red Hat," said Kristensen. "Windows XP can only be used as a workstation. If you want to run XP as, say, a web server, you have to buy either Microsoft or third-party software."
Kristensen said that third-party software was a key factor affecting the number of vulnerabilities attributed to the respective operating systems. With Red Hat, 99 percent, or 629 of the vulnerabilities, were due to third-party components. With Windows, four percent of flaws were due to third-party software.
One of the differences between the operating systems, said Kristensen, was that Red Hat notified customers of third-party flaws that affected its operating systems, as well as supporting them. Microsoft, on the other hand, only notified customers of flaws within its control.
"If you don't have to install third-party tools on Red Hat systems, it's easier to know about vulnerabilities," said Kristensen. "With Microsoft, you have to get Microsoft bulletins, Apple bulletins, Adobe bulletins — wherever you got the software from." Kristensen added that the time taken to patch critical, publicly disclosed vulnerabilities was also much longer for Microsoft systems, compared with open-source software.
"The general trend is that critical issues in open-source applications have a much shorter patch time compared with Microsoft," said Kristensen. "For irresponsibly disclosed flaws, patching time is critical. Microsoft is a very big company with a certain level of bureaucracy — only Microsoft can fix patching errors. There's a quality assurance testing period before a patch is available. With open source, if there's an incompatibility with a patch, you can change the code. There's an open dialogue with a community, and you can fix it from there."
Talkback
The same Apache vulnerability was counted 6 times. Secunia treats the same advisory that affectsRed Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, v2 as 6 different ones.
Mark Cox, Redhat's Security lead says, "
Using our public tool, for every Red Hat product and service, for 2007
we issued 306 advisories to fix 404 vulnerabilities. Of those 404
vulnerabilities 41 were critical (on the scale used by Microsoft and
Red Hat)."
Source: http://www.awe.com/mark/blog/200801161200.html
ZDNET Editors, please update this article with that blog posting. It brings things into perspective.
Thank you for taking the time to reply to this story, SEJeff, especially as if you're in Hollywood it must be the middle of the night about now!
Thanks also for pointing out Mark Cox's blog post. Red Hat made me aware of his post and those stats, which is why the stats are already in the story, in the fifth paragraph.
Cheers,
Tom
I'm sorry, but where in the article does it make clear that the Secunia figures include counting aberrations for the Red Hat figures such as the "same Apache vulnerability was counted 6 times."?
I cannot find it and I have read the article a couple of times.
Please read the blog posting referenced in my comment. Text from that blog is referenced in this article