Posted by: kurtsh | October 28, 2008

REPORT: H1 2008 Desktop OS Vendor Report – Vulnerabilities & Days-of-Risk

In the wake of the MS08-067 rapid deployment, I see fit to point to Jeff Jones’ most recent publication (today!) of his highly respected security report comparing operating system security vulnerabilities & days-of-risk across platforms.  Download it and see the risks across platforms for yourself.


imageThis report looks at all of the vulnerabilities fixed by Apple, Microsoft, Red Hat and Ubuntu during the first half of 2008. At the vendor level, the report examines all vulnerabilities as well as Days of Risk (DoR) associated with those vulnerabilities. The report further drills down to examine just those issues affecting the commonly installed desktop operating system components.

The key findings for 1H08:

  • The four vendors fixed a total 585 vulnerabilities in 1H08. 26.8% affected multiple vendors and of those, only 8 were fixed on the same day – the rest had an average 35 day delay between the first available fix and the last available fix..
  • Microsoft had the lowest average Days of Risk for all vulnerabilities fixed at 24.22 days, with the next closest vendor at 72 days.
  • For desktop OS vulnerabilities, Windows Vista had the fewest vulnerabilities in 1H08 at 21. The next lowest number was Windows XP SP2 at 26.
  • Windows Vista customers experienced full or partial mitigation for 46% of the 26 vulnerabilities affecting Windows XP SP2 in 1H08, but also experienced one additional vulnerability in new code.

In addition to these measurements for the vendors and products, the body of the report also provides weighted analysis which provides a lesser consideration for lower severity issues. Please read the full report for details.


%d bloggers like this: