Tuesday, January 10, 2006

Take a Closer Look at CERT/CC Vulnerability Numbers

The Computer Emergency Response Team Coordination Center (CERT/CC) has released its annual report of vulnerability statistics. At first blush, Windows looks to be way ahead: 812 Windows holes reported versus 2328 Linux/Unix ones. But, as Groklaw and NewsForge point out, "Linux/Unix" lumps together everything from HP-UX to BSD to Solaris, plus the hundreds of "minor" distros, into one sum. Furthermore, there is considerable duplication in the Linux/Unix list; Groklaw cites one example where the same vulnerability is reported five times.

If I seem to be defensive about Linux in this arena, it's because Microsoft will predictably launch a well-funded PR blitz based on these numbers, and I'm tired of them trying to sell the Big Lie. I use Windows from time to time. It's not the Anti-OS. But Microsoft has had a history of pitching it with "half-lies and statistics", and I for one am pretty fed up with that.

From NewsForge:

This is not to say that the data from US-CERT is a meaningless aggregation. You can easily spot the most vulnerable operating system in wide use today by taking a look at the Technical Cyber Security Alerts issued by US-CERT last year. Here's the bottom line:
  • 22 Technical Cyber Security Alerts were issued in 2005
  • 11 of those alerts were for Windows platforms
  • 3 were for Oracle products
  • 2 were for Cisco products
  • 1 was for Mac OS X
  • None were for Linux

NewsForge | US-CERT's FUD


Post a Comment

<< Home