Back in March I wrote about a Role Comparison Report comparing vulnerability response times in Microsoft and Red Hat Enterprise Linux from Security Innovation -- published without involving Red Hat. Since that report they contacted me and supplied their dataset in which we were able to correct some mistakes. This week Security Innovation released another report from the data, this time looking at the role of a Database Server.
Despite the report's claim to incorporate a qualitative assessment of vendor reactions to serious vulnerabilities, the headline metrics treats all vulnerabilities as equal, regardless of their risk to users.
Their headline figure is 61 days of risk for a Red Hat Enterprise Linux 3 minimal installation with the addition of MySQL server from Red Hat Enterprise Linux Extras.
That sounds like an awful lot of days of risk - but if you filter their dataset by severity, using the Microsoft scale for determining the severity of each issue, you find the following:
*** Critical issues: 3 total issues. All fixed on the same day as first public disclosure, therefore having 0 days average risk.
*** Critical plus Important: 49 total, with 34 average days of risk
Red Hat prioritise all vulnerabilities and fix first those that matter the most. I frequently publish our raw data and metrics at http://people.redhat.com/mjc/
Days of risk statistics only tell a small part of the story: studies show consumers take some time to apply patches even after a vendor has produced a security update. So last year we added Exec-Shield to Red Hat Enterprise Linux 3 which also included support for processor EDB (execute disable bit) and NX (no execute) technology. Earlier this year Red Hat Enterprise Linux 4 shipped with Security Enhanced Linux turned on by default. These technology innovations are designed to reduce the risk of security issues.