[SLL] Vulnerabilities by vendor
Paul Allen
paul.l.allen at boeing.com
Thu Nov 29 10:54:06 PST 2007
On Thu, 2007-11-29 at 07:45 -0800, Eric Kahklen wrote:
> I am looking for a site that might list the number of OS
> bugs/vulnerabilities for Linux, Windows, and OS X. I know it will be
> hard to accurately compare each OS because of the difference in the
> standard application base. Basically I am just looking for rough
> numbers or a graphic to help users understand the security advantages of
> a Linux based computer vs Windows. I know there are a ton of factors to
> consider, but I want to avoid the deer in the headlights look if I can :)
The SANS Institute used to publish tables of vulnerabilities by platform
on its web site in a form that could be easily parsed off-line. I did
an analysis for the year ended October, 2001, sifting out just
vulnerabilities in IIS and Apache. The numbers were four to one
against IIS. The IIS vulnerabilities mostly of the "own the box"
variety, while the Apache vulnerabilities tended toward DOS or "run
arbitrary code with the privilege of the web server". Pretty shocking.
I tried to repeat the 2001 comparison a couple years later to see if
things had changed, but the SANS web site had changed to the point that
the a meaningful repeat was not possible. They seem to be doing a "top
20 vulnerabilities" list now. That format doesn't give the absolute
per-platform numbers you're looking for, but it might be close enough
to serve your purpose.
Paul Allen
More information about the linux-list
mailing list