CERT has released its list of software vulnerabilities for 2005. Brian Krebs on his blog, Security Fix, reports:
Security researchers uncovered a record 5,198 vulnerabilities in software products this year, nearly 38 percent more than the number of flaws found in 2004, according to statistics published by US-CERT, a cyber security information-sharing collaboration between the Department of Homeland Security and the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.
Well, yes and no. Let me explain what I see.
Already some are trying to spin the list to try to imply that Microsoft has so many vulnerabilities, 812, because of its popularity. The way CERT has published the list, however, makes any comparison questionable, at least using this list as currently organized.
First, this is a list of vulnerability reports, and it lists them in the following categories: Microsoft Operating System, and Multiple Operating System, and Unix/Linux Operating System. The last category means that AIX and Apple and FreeBSD and Solaris and Linux and ... gulp, ironically enough ... SCO OpenServer and UnixWare vulnerabilities ... are all lumped together, for a total of 2328, making a direct comparison between Microsoft and anyone else nearly impossible.
Second, the Unix/Linux list duplicates items, counting a vulnerability more than once in the list. For an example, note that it lists Eric Raymond Fetchmail POP3 Client Buffer Overflow (Updated). However, the same vulnerability is listed, under the same title, four times. That's because it was reported in the week of August 10-15, again in the week of August 17-23, in September 6-13, and the week of November 9-16. Worse, for any comparison purposes, the same vulnerability is also reported as Fetchmail POP3 Client Buffer Overflow, so in reality one vulnerability is listed 5 times, making the total of 2328 meaningless unless you carefully comb through it to weed out duplications.
All the links take you to the same description of the same vulnerability, CVE-2005-2335, which tells you that there are no known exploits for this vulnerability. So another issue with the list is that there is no distinction made between truly widespread issues that caused real-life damage and vulnerabilities someone noticed but no one ever exploited. There is a difference.
By the way, there's a Microsoft security issue today, according to Government Computer News, whereby someone can create an infected WMF file and disguise it as a JPEG :
Simply opening the wrong Web page or receiving an e-mail with an errant image file could be enough to cripple your computer, thanks to a newly discovered vulnerability in the Microsoft Windows operating systems.
“We believe that this vulnerability is extremely serious,” e-mailed Scott Fendley, today’s Handler on Duty for the SANS Institute’s Internet Storm Center. “It is extremely hard to protect against this vulnerability. It is not as easy of filtering files of a particular extension or setting a group policy.”
Microsoft Corp., of Redmond, Wash., has warned that the vulnerability is already being exploited by spyware, adware and viruses written to alter the behavior of users’ computers. The company is working on a patch, but has not said when it will be ready
I'm sure you can see that the seriousness of such a vulnerability outweighs the POP3 Fetchmail issue. When was the last time you read a headline like this one about GNU/Linux or Solaris or AIX or Apple?
To be fair, the Windows list isn't really an accurate list of Windows vulnerabilities either, not the way I would think of it. It also has duplicative items, such as for Microsoft ASP.NET Canonicalization (Updated). And it includes Apple, F-Secure, IBM WebSphere, McAfee and other third-party vendor issues. If it can happen to you if you use Windows and the third party software, it's on the list, I guess. So, personally, I don't see 812 as being a fair number, unless you qualify what the number means. CERT does qualify this way:
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
So when you read about the list, keep in mind that no straight comparisons are actually possible, unless someone wishes to take the time to do what I've done here through the entire list. Hmm. Any takers?