Enterprise Unix Roundup: Does CERT Matter?
|Main||In Other News||Elsewhere in the Corral||Tips of the Trade|
As we wind our way back from the holiday haze and requisite hangovers, we're not surprised to see it's been a slow two weeks in the world of enterprise Unix and elsewhere. We suspect everyone else is tentatively dipping their toes in the icey waters of the new year as well.
Before we can fully bid adieu to 2005, we'd like to note one of the more interesting pieces of news to hit our inbox last week. The United States Computer Emergency Readiness Team (more commonly known as US-CERT) posted a list of all of the vulnerabilities identified from January 2005 to December 2005.
A whopping 5,198 were reported: 812 were Windows operating system vulnerabilities; 2,328 were Unix/Linux operating vulnerabilities; and 2,058 were vulnerabilities that hit more than one operating systems.
Before we set off a rally cry to scrap Linux migration plans and migrate all Unix apps to Windows, or a flame war with CERT, consider the following:
Windows is but one operating system whereas Unix and Linux are available in more than 100 flavors, possibly thousands if you consider customized operating systems. Add applications to the mix and the potential for soft spots increases multifold, with Unix and Linux touchpoints outnumbering those of Windows far greater than the 45 percent (Unix/Linux) vs. 15 percent (Windows) face off that everyone seems to be labeling a victory for Windows.
Also important to bear in mind are the limitations of the report itself. An article on Techweb cautions against taking the list at face value, as many reports we've seen have been doing:
The end-of-year vulnerability score should be taken with a grain of salt, however, since US-CERT doesn't filter out updates (so one actual vulnerability can be counted numerous times) nor does it break out individual vulnerabilities from warnings that cover multiple bugs (as in the many Mac OS X vulnerability listings).
Not to mention that it gives all vulnerabilities equal weight.
Being the gearheads that we are, we live for lists like this, but we doubt the percentages themselves are of value to to many outside of the press and analyst community (though in this case, we'll safely wager a certain software monarch is happily counting the numbers).
What is of value to end-user enterprises looking at past history as an indication of future security is the compiled list itself. Having all the vulnerabilities noted in one place makes it fairly straightforward to peruse the list and see how frequently and for what the operating system and product under consideration appeared. All vulnerabilities are not created equal, and a "remote DoS security flaw" or "possible buffer overflow" is generally not as severe as "remote code execution possible."
Consider who reported the vulnerability. Many open source projects are known for reporting and fixing vulnerabilities as soon as someone finds them one advantage of community, while some companies are less forthcoming and don't rush to patch.
Also, keep volume in perspective. Windows is now the most commonly deployed operating system, so it stands to reason that that alone makes hitting it more attractive. It would be interesting to see the list broken down further for Linux and Unix as pitting Red Hat, FreeBSD, and Mac OS X against Windows is by no means and apples-to-apples comparison.
And, finally, no matter what operating system or application you go with, or have, remember maintenance is critical. Zero-day exploits may bring to mind Windows, but the more popular Linux becomes, the more desirable a goal exploiting it will be, and the more important it will be to remain current with patching.