Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
Summer and work travel have really had an impact and I've missed a couple of months of scorecards, so last weekend, I decided to dig in and catch up to July. I hit a few road bumps:
In addition, I wanted to add in the Red Hat EL 5 versions of client and server, since they've been available for over 3 months now, and that took some time as well. Anyway, back in action now.
Here are the sections for this month:
When I started doing these scorecards, I did two variations - year-to-date and last-3-months - thinking that the latter would reflect short-term bursts of issues and that the former would give an overall view for the year that would incorporate the ups and downs.
Instead, the two versions of the charts seem to look very similar except for the numbers and scale. This kind of hints that whatever vulnerability disclosure and fix rate a product has, it is staying pretty consistent over time, at least in 2007.
The other thing I find a bit interesting is the Server charts that incorporate the reduced set of Linux packages. For those Linux server builds, I eliminated everything GUI, X11, Gnome, KDE-related, firefox and all optional client-type application components and just kept a minimalist server with the ability to server web pages or act in a few other common server roles. In contrast, the Windows Server build includes every shipping component including Internet Explorer, Media Player and similar stuff. I imagine that a lot of people would have expected a stripped-down Linux server to have, if not fewer total vulnerabilities, then fewer High severity vulnerabilities.
Finally, if I had one surprise in the charts, it was that I expected RHEL5 to be further distinguished from (ie, much lower than) RHEL4 in the YTD charts, given that it did not ship until March.
* RHEL Desktop 5 shipped in March, so only represents vulns since then
* RHEL 5 Advanced Server shipped in March, so only represents vulns since then
In this section and the next one, note that each of the Linux distributions analyzed do not include the full set of product components, as I went through a process to filter out optional and non-comparable components. For more details on assumption and methods, please read review my methodology, sources and assumptions on this page.