CSO: Average OS Days of Risk (DoR)

This morning a friend pointed me to a blog entry over at CSO. This blog is attempting to compute the average days of risk (DoR) between Linux, Windows and Apple.

Just looking over the data pretty quickly, a couple of issues came to mind.

1) It would appear that vendors that normally release megapatches would fair better in the results (i.e., Windows & Apple), however this advantage may have been canceled out largely by the averaging.

Note that for the process, I took a union of the vulnerabilities and combined any vulnerability into one instance if it was fixes on multiple OS versions on the same day. For example, if a public vuln was fixed in SLES9 and SLES10 on the same day, it counted as only one instance. If the same vuln was fixed in SLES9 and SLES10 on different days, say a week apart, then it counted as two different instances in calculating the averages.

If one vuln was fixed in multiple components of a single product on different days, then the vuln was only considered fixed once the final component was fixed. For example, if a vulnerability was public on January 1st that affected both Firefox and Thunderbird in RHEL3 and a patch was released for Firefox on January 10th and Thunderbird on January 15th, this would count as one instance for RHEL3 have 15 DoR (and not 2 instances with lengths of 10 and 15, respectively).

2) Several factors are not taken into account in this comparison. Were exploits released for a certain vulnerability? Out of those, which were being actively exploited before a patch was released? Did the first patch fix the hole, or was a second patch needed? What about slient fixes for issues that were not released publicly? These are issues that relate directly to vulnerability risk management.

3) While it is beyond the scope of the CSO blog, I think it is important to note that certain software isn't updated by users as often as it should. For example, Secunia released numbers in March of 2007 that shows that Quicktime was three times more dangerous than IE, due to users not patching properly. Again, this directly related to risk as seen from the user angle.

4) Just look at the author bio, Jeff Jones, for conflict of interest issues.

Jeff Jones is a Security Strategy Director in Microsoft’s Trustworthy Computing group. In this role, Jeff draws upon his security experience to work with enterprise CSOs and Microsoft's internal security teams to drive practical and measurable security improvements into Microsoft process and products. Prior to his strategic position at Microsoft, Jeff was the vice president of product management for security products at Network Associates where his responsibilities included PGP, Gauntlet and Cybercop products, and several improvements in the McAfee product line.

Overall, I believe CSO had the right idea, but slightly missed the mark. Attempting to compute DoRs requires pulling together so much information that is almost mind numbing.