linux and Vulnerability Report

ubuntu 10.04

http://secunia.com/advisories/product/30524/?task=statistics_2011


redhat 6.0

http://secunia.com/advisories/product/32986/?task=statistics_2011

openSUSE 11.4

http://secunia.com/advisories/product/35006/?task=statistics_2011

FreeBSD 8.1

http://secunia.com/advisories/product/33024/?task=statistics_2011

Fedora 14

http://secunia.com/advisories/product/33024/?task=statistics_2011

Slackware Linux 11.0
http://secunia.com/advisories/product/13491/?task=statistics_2011

Debian GNU/Linux 6.0
http://secunia.com/advisories/product/34258/?task=statistics_2011

 

1189 vulnerabilities in Ubuntu, over 500 more than the next highest. Why so much more? The other distributions are around 600ish.

edit: 10.10 already have 893..? http://secunia.com/advisories/product/32688/

 

More functions = more holes.

Not a biggie. Vulnerabilities don't mean anything sometimes. You can have a vulnerability in IE9 (just an example) that breaks out but then it's stuck at low priority.

With Linux this is taken even further because applications have a lot of restrictions - SELinux. There are a lot of kernel-level separations for user, admin, root so not every exploit will get you root access.

Of course I'm sure some of those do.

 

None of them are above "non critical" so their severity isn't at question. I'm curious why there is so many, already.

I'm not buying "more functions" when Windows bundles more.

 

Is there a windows report for comparison?

 

Yes, but to be fair I should have said that I'm not buying it has more functions that other Linux distros, which on average have 600ish.

 

It might be easier to gather so many on something like Ubuntu, which is developed open source. The vulnerabilities are probably already known.

Idk though.

 

Can anyone find Linux Mint? I can't. But I'm willing to bet it also isn't as high as Ubuntu and it's based on it! Though I use the debian version.

 

Does it really? It's new to me that Windows offers repositories with thousands of 3rd party packages whose vulnerabilities are fixed by Microsoft

Or, as Secunia put it:

 

Not really much more, Microsoft does bundle quite a lot. But thanks for the info/quote.

 

If one was to conclude from stats (hits on distro websites) that Ubuntu is the most popular distro then it could also be argued that more vulnerabilities would also be identified. I suppose. It has a kind of logic if a bit flimsy.

http://distrowatch.com/stats.php?section=popularity

Can't find stats on distro users

 

I think it's pretty much a fact that Ubuntu is the most popular distro, followed by Mint.

But if what tlu is saying is to be believed (the exploits originate from 3rd party apps) they should be far more similar (LibreOffice, Firefox, etc) the most popular choices for distros. But there's still a difference of over 500 exploits.

 

best thing is almost all pached hardly anything critical

LibreOffice 3.x
http://secunia.com/advisories/product/34131/?task=statistics_2011



microsoft windows did a great job on windows 7 and vista

Microsoft Windows 7

http://secunia.com/advisories/product/27467/?task=statistics_2011

Microsoft Windows Vista

http://secunia.com/advisories/product/13223/?task=statistics_2011


but not same on xp

http://secunia.com/advisories/product/16/?task=statistics_2011

http://secunia.com/advisories/product/22/?task=statistics_2011

 

Definitely

Nice. That disproves the third party theory contributing to exploits even more.

Bwahaha so true. How times change (thankfully).

 

some browsers on linux

Google Chrome 14.x

http://secunia.com/advisories/product/38063/?task=statistics_2011

chromium 14.x

http://secunia.com/advisories/product/36448/?task=statistics_2011

Mozilla SeaMonkey 2.x

http://secunia.com/advisories/product/27665/?task=statistics_2011

Mozilla Firefox 3.6.x

http://secunia.com/advisories/product/28698/?task=statistics_2011

Mozilla Firefox 6.x

http://secunia.com/advisories/product/37619/?task=statistics_2011

please use 7 instead firefox 6 is unpached

Mozilla Firefox 7.x

http://secunia.com/advisories/product/38194/?task=statistics_2011

Opera 11.x

http://secunia.com/advisories/product/33328/?task=statistics_2011

please check this one there are 20 unpached Vulnerability in opera so use it on good sites only if you are opera fan

 

But it's not only the most popular packages. Synaptic counts (including getdeb, medibuntu and 4 ppa's) 56253 packages in my Kubuntu 11.10 repos. Do other distros have as many packages?

 

Quite a while ago, an esteemed member of this forum posted about how Secunia found SRware Iron to be more secure than Google Chrome.

I had asked some questions but got no serious answer.

On looking further into the matter, it appears to me that Secunia collates security reports from each browser team. Since the SR Ware Iron team appears minimally communicative, Secunia obediently and obligingly reported that Iron is less vulnerable than Chrome. (I think they showed Iron to have zero vulnerabilities.)

I wonder if something similar is afoot here.

I am aware that Secunia has its own "research team".


Edit: see here (if you want) https://www.wilderssecurity.com/showpost.php?p=1778111&postcount=92

 

iron is base on chromium so if chrome/chromium is 100% what reason iron dont

the main reason must be this at that time i guess


http://www.srware.net/en/software_srware_iron_chrome_vs_iron.php

 

The point I'm trying to make is that when Secunia reports vulnerabilities it is often (if not mostly) based on information released by the software's developers themselves. Software whose developers are not particularly communicative, may appear to be more "secure" by Secunia's standards.

 

well i get to know about this on my CEH course ist i guess they share data base and also do their own testing as well just like use tools like nessus ......etc

but your point is good because the most common software are targated the most thats why you found more vulnerability on them because they are targated the most

if you google vulnerability database you find many sites including most of them running by gov

like National Vulnerability Database

US-CERT Vulnerability .....etc

 

i agree with your point by my point is most attacks on wildly used apps

screen shot of my astaro gateway IPS attacks block by snort

you see most attacks are targeting IE and firefox as they are common

 

Very interesting stats, pretty surprising.