Some Custom Analysis for Robert Vamosi on Secunia Unpatched Data

Robert Vamosi CNET blog

Very reasonably, Robert wants to check my report analysis against an independent source (and says): "Another way to look at the relative security of an operating system is to consult an independent source. We frequently cite vulnerability statistics from security vendor Secunia."

Robert proceeds to quote the "unpatched" numbers for Windows Vista, Windows XP, Sun Solaris, Mac OS X, and  and Ubuntu (Linux), citing the numbers from Secunia. 

Secunia Unpatched Box for Ubuntu 6.10

As you may have heard me say before, I understand why it is difficult for companies like Secunia to stay on top of disclosures for Linux distributions.  I am not criticizing them for not performing a difficult job or having the resources to keep track of 500+ distributions composed of variations of thousands of components.

I also think it is understandable why Robert Vamosi would go to the product page, see that box, and conclude that Ubuntu had a "remarkable" track record.  It is my opinion that many people would make a similar conclusion.

The Unpatched Numbers for Ubuntu on March 23, 2007

However, having been involved in vulnerability analysis for a while, I believe the actual numbers of publicly disclosed, but unpatched vulnerabilites in Ubuntu was a bit different than Mr. Vamosi found, so I did some data gathering and analysis myself to see what I came up with.

Don't just take my word for this, here are the details and how I got them.  Please pick some individual examples and validate them youself.  Normally, I don't track the versions for which vendors don't offer long-term/Enterprise support, but Mr. Vamosi's link pointed to Ubuntu Linux 6.10, so I've accumulated the data to look at the same version instead of 6.06 LTS.  Here are the steps:

1.  Look at each security advisory on http://www.ubuntu.com/usn.  For the ones that affect Ubuntu 6.10, extract the list of vulnerabilities listed by CVE number and note the date when the advisory was issued. 

2.  For each vulnerability in the list, look at the entry on http://nvd.nist.gov and follow each reference to determine when the vulnerability was first disclosed.  As a cross-check, you can check the disclosure dates maintained by Red Hat's Mark Cox at http://people.redhat.com/mjc/cve_dates.txt.

3.  Look for the vulnerabilities that were disclosed prior to March 23, 2007, but fixed after that date.

Here is the list that I came up with (High 8, Medium 6, Low 15):

29 vulnerabilities disclosed before 3/23/2007 but unpatched until laterCVE-2007-0006 [severity=Low] disclosed on 12/21/2006 but not fixed until 4/10/2007 (usn-451-1)CVE-2007-0455 [severity=Low] disclosed on 1/26/2007 but not fixed until 6/11/2007 (usn-473-1)CVE-2007-0958 [severity=Low] disclosed on 1/26/2007 but not fixed until 4/10/2007 (usn-451-1)CVE-2007-1380 [severity=Low] disclosed on 2/14/2007 but not fixed until 4/27/2007 (usn-455-1)CVE-2007-0772 [severity=Low] disclosed on 2/19/2007 but not fixed until 4/10/2007 (usn-451-1)CVE-2007-1308 [severity=Low] disclosed on 3/5/2007 but not fixed until 3/28/2007 (usn-447-1)CVE-2007-1375 [severity=Low] disclosed on 3/7/2007 but not fixed until 4/27/2007 (usn-455-1)CVE-2007-1376 [severity=High] disclosed on 3/7/2007 but not fixed until 4/27/2007 (usn-455-1)CVE-2007-1496 [severity=Low] disclosed on 3/7/2007 but not fixed until 5/23/2007 (usn-464-1)CVE-2007-1497 [severity=High] disclosed on 3/7/2007 but not fixed until 5/23/2007 (usn-464-1)CVE-2007-1388 [severity=Low] disclosed on 3/8/2007 but not fixed until 5/23/2007 (usn-464-1)CVE-2007-1667 [severity=High] disclosed on 3/9/2007 but not fixed until 4/18/2007 (usn-453-1)CVE-2007-1521 [severity=Medium] disclosed on 3/14/2007 but not fixed until 4/27/2007 (usn-455-1)CVE-2007-1484 [severity=Medium] disclosed on 3/16/2007 but not fixed until 4/27/2007 (usn-455-1)CVE-2007-1592 [severity=Low] disclosed on 3/16/2007 but not fixed until 5/23/2007 (usn-464-1)CVE-2007-1543 [severity=High] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)CVE-2007-1544 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)CVE-2007-1545 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)CVE-2007-1546 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)CVE-2007-1547 [severity=Low] disclosed on 3/19/2007 but not fixed until 3/28/2007 (usn-446-1)CVE-2007-1583 [severity=Medium] disclosed on 3/19/2007 but not fixed until 4/27/2007 (usn-455-1)CVE-2007-0238 [severity=High] disclosed on 3/20/2007 but not fixed until 3/27/2007 (usn-444-1)CVE-2007-0239 [severity=High] disclosed on 3/20/2007 but not fixed until 3/27/2007 (usn-444-1)CVE-2007-1560 [severity=Low] disclosed on 3/20/2007 but not fixed until 3/26/2007 (usn-441-1)CVE-2007-0653 [severity=High] disclosed on 3/21/2007 but not fixed until 3/27/2007 (usn-445-1)CVE-2007-0654 [severity=High] disclosed on 3/21/2007 but not fixed until 3/27/2007 (usn-445-1)CVE-2007-1002 [severity=Medium] disclosed on 3/21/2007 but not fixed until 3/26/2007 (usn-442-1)CVE-2007-1562 [severity=Medium] disclosed on 3/21/2007 but not fixed until 3/27/2007 (usn-443-1)CVE-2007-1564 [severity=Medium] disclosed on 3/21/2007 but not fixed until 3/28/2007 (usn-447-1)

I anticipate that some readers will point out that about half of the vulns on this list were disclosed only a week or so before the 23rd.  Granted, no argument.  I'll happily just point to the other half, which makes the point just as well.  With any data source, it is very important to have a good understanding and interpret with caution.

Regards ~ Jeff

Copyright © 2007 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline