Quoting Jimmy Lim ([EMAIL PROTECTED]):
>> http://www.eweek.com/article2/0,3959,741334,00.asp
>
> this is stupid!
> how 'bout this?
> http://www.pivx.com/larholm/unpatched/
>
> it's not a matter how many bugs, exploit, etc. found in the system but
> it's a matter of response time of the developers to fix the bug.
It's even more stupid than that.
The Aberdeen Group study counted CERT vulnerability reports about
"open-source or Linux products", i.e., where the candidates are
every piece of software bundled with every Linux distribution, _plus_
all open-source software period, regardless of platform. For the sake
of context, the Debian distribution maintains over _10,000_ distinct
packages of software, of every conceivable sort. The SuSE Professional
boxed set includes seven or eight CD-ROMs crammed with as much
compressed software of diverse sorts as they can fit on there. Versus,
of course, practically nothing bundled with MS-Windows.
Got that picture firmly in your head? Good. Now, picture Aberdeen
Group comparing the number of 2002 security incidents reported by CERT for
(1) the Linux operating system, plus (2) all applications bundled with
the Linux operating system, plus (3) all open-source applications
whatsoever -- versus 2002 CERT advisories for Microsoft Corp. products.
Bear in mind that most Microsoft Corp. products don't ever come under
CERT scrutiny at all, since they're concerned with the security of
"networked systems". Most Microsoft products aren't in their bailiwick:
For example, not MS-Word, MS-Excel, MS-PowerPoint, MS-Access....
The Aberdeen "analysis" (if we can call it that) amounted to doodling
with crayons about the following CERT advisories (those from January
through October):
CA-2002-01: Exploitation of Vulnerability in CDE Subprocess Control Service
CA-2002-02: Buffer Overflow in AOL ICQ
CA-2002-03: Multiple Vulnerabilities in Many Implementations of the
Simple Network Management Protocol (SNMP)
CA-2002-04: Buffer Overflow in Microsoft Internet Explorer
CA-2002-05: Multiple Vulnerabilities in PHP fileupload
CA-2002-06: Vulnerabilities in Various Implementations of the RADIUS Protocol
CA-2002-07: Double Free Bug in zlib Compression Library
CA-2002-08: Multiple Vulnerabilities in Oracle Servers
CA-2002-09: Multiple Vulnerabilities in Microsoft IIS
CA-2002-10: Format String Vulnerability in rpc.rwalld
CA-2002-11: Heap Overflow in Cachefs Daemon (cachefsd)
CA-2002-12: Format String Vulnerability in ISC DHCPD
CA-2002-13: Buffer Overflow in Microsoft's MSN Chat ActiveX Control
CA-2002-14: Buffer Overflow in Macromedia JRun
CA-2002-15: Denial-of-Service Vulnerability in ISC BIND 9
CA-2002-16: Multiple Vulnerabilities in Yahoo! Messenger
CA-2002-17: Apache Web Server Chunk Handling Vulnerability
CA-2002-18: OpenSSH Vulnerabilities in Challenge Response Handling
CA-2002-19: Buffer Overflows in Multiple DNS Resolver Libraries
CA-2002-20: Multiple Vulnerabilities in CDE ToolTalk
CA-2002-21: Vulnerability in PHP
CA-2002-22: Multiple Vulnerabilities in Microsoft SQL Server
CA-2002-23: Multiple Vulnerabilities in OpenSSL
CA-2002-24: Trojan Horse OpenSSH Distribution
CA-2002-25: Integer Overflow In XDR Library
CA-2002-26: Buffer Overflow in CDE ToolTalk
CA-2002-27: Apache/mod_ssl Worm
CA-2002-28: Trojan Horse Sendmail Distribution
CA-2002-29: Buffer Overflow in Kerberos Administration Daemon
The way the game is played, you do this:
1. Any time it's even _theoretically possible_ to run one of the pieces
of software mentioned on Linux, score one under "Linux". Never mind
if hardly anyone ever does (e.g., rpc.walld). Never mind if it's
obsolete software that everyone on Linux has replaced (e.g., BIND4
and BIND8). Never mind _even_ if the same hole existed for the
package's NT version (e.g., PHP).
2. Any time the software exists on _both_ Linux and Microsoft OSes, but
it seems unfamiliar (e.g., CA-2002-03/SNMP, CA-2002-24/OpenSSH, and
CA-2002-28/Sendmail), score one under "Linux" only.
4. If you're just not sure (e.g., CA-2002-02/AOL ICQ), score one under
"Linux" only.
5. Score one for "Microsoft" only where the CERT item specifically says
Microsoft.
When you're done, total the numbers, wipe the drool off your chin, and
put out a press release.
--
Cheers, There are only 10 types of people in this world --
Rick Moen those who understand binary arithmetic and those who don't.
[EMAIL PROTECTED]
_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]
Fully Searchable Archives With Friendly Web Interface at http://marc.free.net.ph
To subscribe to the Linux Newbies' List: send "subscribe" in the body to
[EMAIL PROTECTED]
