Security, perception, reality.  What security professional hasn't struggled with the gaps between those three things?  Is there anything worse for security than a false sense of security?  Even my short-term readers probably realize that this is a recurring theme for me - digging into perceptions and misperceptions and trying to shine some light on things.

Take a look at this graphic, which you can see today at www.secunia.com on their Vulnerability Report: RedHat Enterprise Linux WS 4 page:

No unpatched Secunia advisories.  Now, if you are a Red Hat Enterprise Linux 4 Workstation (rhel4ws) user, or perspective user - don't you feel all warm and fuzzy?  Especially when you understand the Secunia vision:

"It is Secunia's ambition to be the leading vulnerability intelligence provider and distributor in the world - second to none." (web link to Secunia corporate info)

"Second to none."  I really like that.  Now, I do not expect perfection.  Far from it, because I know how hard it is to gather and analyze all of the vulnerability data that customers potentially have access to.  But, with that vision, I do expect some best efforts at accuracy and consistency.

So, Jeff, what's the problem? (you say)  My problem is that I've been checking that RHEL4WS site frequently over the past year and it pretty much always says "no problemo", but (and it is a big but), the data I've looked at doesn't say the same thing. 

The wording is careful, of course.  It doesn't say "there are no unpatched, but publicly disclosed vulnerabilties."  Instead, it says "there are no unpatched Secunia advisories affecting this product."  This wording is open to two possible interpretations:

  • Secunia advisories cover all disclosed vulns
  • Secunia advisories are NOT covering all disclosed vulns. 

If it is the former, then everything is hunky-dory.  If it is the latter, then there may be a false sense of security.  So, that embodies my accuracy question.  What about consistency?

If I browse on over to the Secunia Windows Server 2003 page, I see that Secunia lists 10 out of 112 (9%) of Secunia Advisories unpatched.  I see, for example, that on 12/22/2006 they issued an advisory for the CSRSS Privilege Escalation vulnerability, only one day after it was published/asserted on Full Disclosure.  Boy, they're right on top of things for Windows.  Is it possible they're not quite as rigorous in publishing warnings for other products?  It will be interesting to see if we can answer that questions.

So, that's the background and setup.  In Part 2 of this series, I will explore methods for getting an accurate view of publicly disclosed, but unpatched vulnerabilities in products on any given day or over periods of time.  If I can define a repeatable method, then we should be able to monitor both the consistency and accuracy of Secunia over those same periods of time for different products.  Stay tuned...