US-CERT needs to learn how to count

And people writing internet news need to pay attention to details.

In the last twelve hours, I have noted roughly fifty online articles touting the latest US-CERT Security Bulletin, and how UNIX/Linuxes have three times as many vulnerabilities as Windows.

Pay attention, and do your homework! There are a number of popular flavors of UNIX, including HP-UX, Solaris, and AIX. On the Linux front, there are at least a hundred different flavors. At last count, Microsoft Windows basically came in TWO flavors, the first consisting of Windows 95, 98, and Me, and the second being NT, 2000, and XP. So, UNIX/Linux variants outnumber Windows by a factor of more than 100 to 1, making these upfront statements more than a bit suspect.

If we dig a little deeper into the government sponsored list, we note that it also includes every application generally bundled with *NIX systems, including things like Apache Web Server, the MySQL database, and even the Ethereal Packet Analyzer. Those bundled items’ open source nature presumes that vulnerabilites will get reported promptly and publically. But those three, and many others ARE ALSO AVAILABLE FOR WINDOWS, yet no vulnerabilities related to them are in the Windows list. Is US-CERT trying to say that vulnerabilities don’t exist for those products on the Windows platform, or are said issues just not being reported because they are fairly obscure? Additionally, I noted on the Windows list that SQL Server 2000 occupied a single line, with a link to a statement suggesting “multiple vulnerabilities” and a link to Microsoft’s patch download area. I don’t get it.

Someone needs to do a more thorough analysis of this list, otherwise I am considering its headlined conclusions nothing more than general bunk.