US-CERT in contempt
US-CERT released their 2005 Cyber Security Bulletin last week, claiming that Windows had 812 reported flaws and Unix/Linux had 2,328. This might come as a shock to you at first glance … and it is quite shocking; especially if you read their Technical Cyber Security Alerts page for the past two years (I’m not including 2006). Twenty-one of their reports mention vulnerabilities to Microsoft by name, and how many for Unix/Linux? Not one.
You might be thinking that something doesn’t add up here. Let’s breeze by Secunia and take a look at their stats to make sure we’re on the right track. Just to be fair (and so you don’t think I’m being biased towards Unix-based systems) I’m going to take the lowest stats for MS systems and I’ll use a bunch of different *nix systems (not just the highest or lowest). Also, I’m only using the latest versions of the different OS’s. Here we go:
| OS Name | unpatched/total advisories | highest advisory rating |
| Windows | ||
| Win XP Professional | 28/124 | Highly critical |
| Win XP Home Edition | 24/108 | Highly critical |
| Win Server 2003 SE/WE | 8/76 | Less critical |
| Win Server 2003 EE | 8/75 | Less critical |
| Win NT 4.0 WS | 7/38 | Less critical |
| Unix/Linux | ||
| Debian GNU/Linux 3.1 | 1/182 | Less critical |
| RedHat Linux 9 | 1/99 | Not critical |
| Mandrakelinux 10.1 | 0/232 | None |
| RedHat Enterprise WS 4 | 0/137 | None |
| Fedora Core 4 | 0/88 | None |
| SUSE Linux 9.3 | 0/61 | None |
| OpenBSD 3.x | 0/59 | None |
| FreeBSD 5.x | 0/56 | None |
Just for the records, those stats take into account that MS finally released their patch to fix the WMF vulnerability. Also, that is just a few of the hundreds of different versions of unix-based systems out there. MS has considerably fewer OS’s — only 18, not including mobile/PDA.
If you’re thinking that comparing the 18 MS OS’s to the hundreds of unix-based OS’s is unfair then stick with me … it gets worse. If you read the bulletin you’ll notice it says that it “is a compilation and includes information published by outside sources”. Take a closer look at their “compilation”: the “BZip2 File Permission Modification” flaw is listed ten times because it was reported for multiple weeks. Ut-oh, how about this? “bzip2 Remote Denial of Service” is listed nine times as well. There are many many many more instances of duplicates throughout the report for both MS OS’s and unix-based OS’s.
How about this … Mozilla product flaws account for thirteen of the unix-based flaws. Since when is a Firefox flaw a Unix flaw!? And what about PHP, Apache, Gaim, MySQL, PERL … I guess none of those work on Windows apparently.
US-CERT tries to cover themselves by stating that, “Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.” So, in other words, your entire report is completely useless?
US-CERT should be ashamed of themselves for writing up something so misleading, as they have certainly earned the disdain of the rest of the world. I sure hope they didn’t use any of our tax dollars aggregating that sorry excuse for a report.
