Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Hotmail & Passport (.NET Accounts)

From: Mark J Cox <mjc () redhat com>
Date: Mon, 12 May 2003 10:44:40 +0100 (BST)
I sure hope that 
folk won't be sucked into bogus "MS released fewer IE patches last 
year" claims based solely on the year-on-year comparison of the 
number of patch releases (as indicated by security bulletin count).


Most vendors and even open source software projects roll up security
fixes, usually when issues are classed as minor or if several severe
issues can be announced and fixed at the same time.  To know how many
issues get rolled up you need to be able to count issues or
vulnerabilities and that can be quite subjective.  However we can
normalise on CVE data to get useful statistics:

Looking at point releases of Apache 1.3 and Apache 2.0 that contained
security fixes.  Each release fixed on average 1.63 vulnerabilities (44%
of releases fixed more than one issue, max 3 issues in one release).

Looking at Red Hat advisories since Jan 2000-Apr 2002, each advisory for
Red Hat Linux fixed on average 1.54 vulnerabilities (18% of advisories
fixed more than one issue, max 11 issues in one advisory).

Cheers, Mark
-- 
Mark J Cox



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: