CERT Vulnerability Notes Database Results

The United States Computer Emergency Readiness Team (CERT) uses its own set of metrics to evaluate the severity of any given security flaw. A number between 0 and 180 expresses the final metric, where the number 180 represents the most serious vulnerability. The ranking is not linear. In other words, a vulnerability ranked 100 is not twice as serious as a vulnerability ranked at 50.

CERT considers any vulnerability with a score of 40 or higher to be serious enough to be a candidate for a special CERT Advisory and US-CERT technical alert.

We queried the CERT database using the search terms "Microsoft", "Red Hat", and "Linux". [9] While the CERT web search capabilities do not produce perfectly desirable results in terms of granularity or longevity. This is especially true for the search results for "Red Hat" and "Linux". The "Linux" search results include a number of Oracle security vulnerabilities that are common to Linux, UNIX, and Windows. The details of the most severe "Red Hat" entry does not even list Red Hat as a vulnerable system. The results for the "Microsoft" search seem to be almost entirely accurate, inasmuch as both the details and entries refer to flaws in Microsoft-specific software. As a result, the results are somewhat unfairly skewed against Linux and Red Hat. Nevertheless, even if one takes the results at face value and ignores the skewed results for Linux and Red Hat, Microsoft still produces the most entries in the CERT database, and the list of entries contain the most severe flaws.

The CERT results for "Microsoft" returned 250 entries, with the top two entries containing the severity metric of 94.5. Thirty-nine entries have a severity rating of 40 or greater. The average severity rating for the top 40 entries is 54.67. (We chose to average 40 entries instead of 50 or more because the Red Hat search only returned 49 results.)

The CERT results for "Red Hat" returned 46 entries. The top entry has a severity metric of 108.16. Only 3 (vs. 39 for Microsoft) entries have a metric of 40 or greater. The average severity for the top 40 entries is 17.96.

The CERT results for the "Linux" search returned 100 entries. The top entry has a severity metric of 87.72. Only 6 of the entries carry a severity metric of 40 or greater. The average severity for the top 40 entries is 28.48.

These results cannot be expected to mirror our own analysis of recent vulnerability patches. The CERT search criteria and date ordering is different, and the CERT search does not confine the products to Windows Server 2003 and Red Hat Enterprise Linux AS v.3. But the CERT results reflect how Windows security flaws tend to be far more frequently severe than those of Linux, which echoes our conclusions.

References

Netcraft Web Survey for September 2004
http://news.netcraft.com/archives/2004/08/31/September_2004_seb_server_survey.html

Netcraft Top 50 Servers With Longest Uptime (results may differ since the information changes daily)
http://uptime.netcraft.com/up/today/top.avg.html

Unpatched PC "Survival Time" Just 16 Minutes, Gregg Keizer, TechWeb News
http://www.internetweek.com/breakingNews/showArticle.jhtml?articleID=29106061

Top 10 Benefits of Windows Server 2003
http://www.microsoft.com/windowsserver2003/evaluation/whyupgrade/top10best.mspx

Microsoft Security Bulletin, Current Downloads
http://www.microsoft.com/technet/security/CurrentDL.aspx

Default Settings Different on Windows Server 2003
These settings are enumerated on several alert pages under "Frequently Asked Questions, What is Internet Explorer Enhanced Security Configuration?" The following is one such URL.
http://www.microsoft.com/technet/security/bulletin/ms03-032.mspx

Red Hat Enterprise Linux Advance Server v.3 Security Advisories
https://rhn.redhat.com/errata/rhel3as-errata-security.html

CERT search for Microsoft Alerts
http://www.kb.cert.org/vuls/bymetric?searchview&query=microsoft&searchorder=4&count=100

CERT search for Red Hat Alerts
http://www.kb.cert.org/vuls/bymetric?searchview&query=red*hat&searchorder=4&count=100

CERT search for Linux Alerts
http://www.kb.cert.org/vuls/bymetric?searchview&query=linux&searchorder=4&count=100

Footnotes

[1] See References section below for the Netcraft URLs from which this data was drawn.

[2] See References section below for the Netcraft URL for this data

[3] Unpatched PC "Survival Time" Just 16 Minutes, by Greek Keiser, TechWeb News. See references section below for URL.

[4] We suspect we know why Microsoft chose to implement this as the default behavior of SQL Server. Many third-party applications use the SQL Server engine by default. If everyone who wrote applications for SQL Server assumed that there would be a single instance of SQL Server running on the machine, Microsoft would have to provide an easy way for the installation programs to detect that SQL Server was already installed and running, and then provide an easy way to install, integrate and administer the applications' specific requirements for its own database and tables running on the existing server. This is the elegant solution, and it uses up a minimum of resources because only one instance of SQL Server is ever needed. But this approach would require a good deal of extra work on the part of Microsoft or on the part of the third-party developers. It was much easier to design a way to allow third party applications to avoid bothering with the issue of whether or not SQL Server is already installed. Given the design Microsoft implemented, any third party can simply install its own copy of SQL Server without worrying about whether or not SQL Server already exists on the target machine, what version of SQL Server is already installed, or how the SQL Server is already configured. In short, rather than do things right, and in an effort to entice third parties to use SQL Server, Microsoft took the lazy way out and designed a system where any application could install its own private copy of SQL Server without its operation interfering with the other copies of SQL Server running on the same system. This led to the desire to run several instances of SQL Server with RPC enabled, which should actually have a very narrow audience. This lazy approach had terribly unfortunate consequences. If Microsoft had designed SQL Server to run as a single instance without network connections by default, the Slammer worm would not have been able to find enough machines running SQL Server to do any significant damage.

[5] See References section for URL to the "Top 10 Benefits of Windows Server 2003" page at the Microsoft web site.

[6] See Resources for URL for page from which data was extracted

[7] See Resources for URL for page from which text is quoted

[8] See Resources for URL for page from which data was extracted

[9] See the References section below for the full URLs we used to perform these searches.