Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Rapport sur les vulnérabilités des OS clients pour le premier semestre 2008

pascals.blog — Mon, 27 Oct 2008 13:24:14 GMT

Jeff Jones vient de publier le rapport sur les vulnérabilité des OS clients pour le premier

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

arty — Thu, 30 Oct 2008 11:43:50 GMT

Red Hat avg DoR is 55.5 days -> https://www.redhat.com/security/data/metrics/summary-rhel5-all.html

guess that your're math is weird.

probably most other stats as miscalculated as this one. like always.

second, public disclosure of vulnerablities on each system is very different.

also, Microsoft release fixes only once a month, that's another, that makes your DoR calculations even weirder.

fair comparison between those system just can't be done, there's too many differenties to assume perfect rules for compare. it's just spreeding FUD, that's bad.

Очердное сравнение осей

Алексей Майоров — Thu, 30 Oct 2008 12:10:53 GMT

По ссылке доступно последнее сравнение популярных операционок на предмет уязвимостей. Главные выводы

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Lisa — Thu, 30 Oct 2008 17:57:13 GMT

It would be interesting to see the same type of report from someone who is not employed by MS, as I have seen quite a bit of data from independent sources that present quite a different analysis....

Statistiques sur la sécurité

WebLog de Stéphane PAPP [MSFT] — Mon, 03 Nov 2008 21:52:30 GMT

En complément de la publication de Jeff Jones signalée par Pascal SAULIERE dernièrement

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Rodney — Thu, 06 Nov 2008 03:19:09 GMT

You can't seriously expect people to believe this? Microsoft only has the lowest number of vulnerabilities and quickest fixes because you *hide* the vulnerabilities until you have a patch ready, where as Linux is up front about everything.

Additionally, you only include Microsoft core OS in the list of Microsoft patches. You don't include all the other Microsoft products and all the millions of applications that can be installed on Windows. Yet in Linux, you include all kinds of non-core, 3rd party applications in the list of vulnerabilities.

The report is therefore, in effect, a blatant lie. And the news flash for you is, everyone knows it. So if you want Microsoft to be seen in a better light, don't try to pull the wool over people's eyes, ok?

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

jrjones — Fri, 07 Nov 2008 01:05:42 GMT

Rodney,

Let's assume for a minute that you are correct and that Microsoft only has the lowest number of vulnerabilities and quickest fixes because they hide the vulnerabilities until a patch is ready.

Okay, let's say (theoretically) every issue is "hidden" for two years and then a patch is made available, making the issue public. If true, this would simply delay the disclosure timeline for two years. The ones disclosed in H108 would just be the ones "hidden" since H106.

No matter how you look at it - the large numbers of vulns you are implying exist should show up somewhere on the timeline. And that does not seem to be the case.

You are correct that I do not include "all of the other Microsoft" products in the desktop analysis, though if you want to see the trends on *all vulnerabilities in all Microsoft products*, I encourage you to take a look at the latest http://www.microsoft.com/sir document, where I do look at those trends.

You are incorrect that I include non-core Linux distro applications - I did quite a bit of work to exclude all of the non-default packages as well as some other *default* packages that don't have an equivalent include in Windows.

If you want to back up your assertions and accusations, I'd love to see that. I encourage you to perform your own analysis and publish it and I'll be happy to study it and give you my feedback as well.

Thanks for coming to check out the report, even if you are doubtful about the results.

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

jrjones — Tue, 18 Nov 2008 20:02:30 GMT

Arty,

% Red Hat avg DoR is 55.5 days -> https://www.redhat.com/security/data/metrics/summary-rhel5-all.html

>guess that your're math is weird.

I accept that number as accurate without checking it, but that doesn't mean my math is weird. I calculated DoR during 1H08.

Check out: https://rhn.redhat.com/errata/rhel-client-workstation-errata.html and note that there were 6 advisories on the day the product shipped, fixing 37 issues. Of course, those 37 issues contribute ZERO days of risk since the fix was available on the day of ship. But what does that mean for DoR average going forward?

Well, quickly, we can see that if the next 37 issues took 90 days to fix and only occurred 90 days after ship, that would only bring the average DoR down to 45 for all 74 issues.

But you're telling me that the overall average is even higher than that at 55 days. That seems to imply that there have been lots of issues that took a long time to fix and I can draw that conclusion without a ton of detailed analysis by looking the average and just the advisories on day one.

% probably most other stats as miscalculated as this one. like always.

Probably not, since this one isn't miscalculated either. Go do a little bit of digging to check your assertion.

% second, public disclosure of vulnerablities on each system is very different.

That is true, each company *decides* its own efforts and policies and those differences do have a real impact on customer risk.

% also, Microsoft release fixes only once a month, that's another, that makes your DoR calculations even weirder.

I don't see weirdness, just some extra days in the calculations - pretty simple really.

% fair comparison between those system just can't be done, there's too many differenties to assume perfect rules for compare. it's just spreeding FUD, that's bad.

On the other hand, people do make comparisons that are even less fair and accurate than this one. It is not acceptable to simply throw up your hands and say it isn't possible when people consider security a factor for decision making.

To me, the FUD is when folks say things like "Linux is inherently more secure" without providing any support for the statement.

Falla di sicurezza di Internet Explorer: disponibile la patch

ZenIT Blog — Wed, 17 Dec 2008 21:00:33 GMT

Feliciano Intini sul suo blog ha annunciato che questa sera (17/12/2008) alle 19:00 sarà rilasciato un

2008年上半期デスクトップ OS ベンダーレポート～脆弱性と DoR ～

日本のセキュリティチーム (Japan Security Team) — Tue, 10 Mar 2009 14:01:22 GMT

小野寺です。少し前になりますが、Jeff Jonesが、主な4つのデスクトップOSを調査して、脆弱性の対応状況等をレポートとして公表していました。脆弱性に対する考え方の一つとして面白いため、翻訳版を作ってみました。冒頭部分を以下に抜粋します。

Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Rapport sur les vulnérabilités des OS clients pour le premier semestre 2008

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Очердное сравнение осей

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Statistiques sur la sécurité

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

re: Download: H1 2008 Desktop OS Vendor Report - Vulnerabilities and Days-of-Risk

Falla di sicurezza di Internet Explorer: disponibile la patch

2008年上半期 デスクトップ OS ベンダー レポート ～脆弱性と DoR ～

2008年上半期デスクトップ OS ベンダーレポート～脆弱性と DoR ～