Doubts cast on US-CERT's vulnerability statistics

Doubts cast on US-CERT’s vulnerability statistics

Figures from the US Computer Emergency Readiness Team that appeared to suggest Microsoft Corp's Windows suffered less vulnerabilities than Linux/Unix in 2005 have come under fire from the Linux community.

The US-CERT’s 2005 Year-End Index, published at the end of 2005, detailed software vulnerabilities identified during the year and separated them into three groups: Windows operating system vulnerabilities, Unix/Linux operating system vulnerabilities; and multiple operating system vulnerabilities.

With 812 vulnerabilities listed for Windows, 2,328 for Unix/Linux, and 2,058 for multiple operating systems, headlines quickly appeared stating that Unix/Linux was the victim of almost three times more vulnerabilities than Windows.

The Linux and Open Source Online newsletter NewsForge has pointed out the dangers of taking these figures at face value however, noting that while the list of Windows vulnerabilities covers Microsoft various currently used operating systems, the Unix/Linux list covers many, many more.

Sun Microsystems Inc’s Solaris, IBM Corp’s AIX, Silicon Graphics Inc’s Irix, Apple Computer Inc’s Mac OS X, Hewlett Packard Co’s HP-UX, SCO Group Inc’s OpenServer and UnixWare, Red Hat Inc’s Enterprise Linux, and Novell Inc’s SUSE Linux were all covered by the Unix/Linux list, as well as the various Linux and BSD distributions.

Based on that fact, the NewsForge has called any attempt to compare the totals for each group a meaningless exercise before adding that the list also fails to take into account the severity of vulnerabilities, how easy it is to exploit them, and how fast vendors have responded to them.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing