So let's take a look at the security vulnerability advisories in 2007 listed for each of the major Unix operating systems -- IBM's AIX, Hewlett-Packard's HP-UX, and Sun Microsystems' Solaris. The comparison looks at versions that were released for the entirety of the year, which means Solaris 10, HP-UX 11 and AIX 5 (AIX 6 wasn't released until November).
It's like golf...the lowest score wins
First, let's take a look at which operating system had the most vulnerability advisories:
- According to Secunia, Solaris 10 had the most vulnerabilities reported in 2007 with 88. That works out to about 7 per month.
- In the middle was HP-UX 11 with 29 vulnerabilities reported for the year. That's about 2 per month.
- In the front was AIX 5 with 17 advisories. That's like 1.5 per month.
One thing to keep in mind with Solaris 10 is that it runs on x86 as well as Sparc, which may account for the higher numbers. A curious side note: Red Hat Enterprise Linux Advanced Server 4 had 123 advisories. But this is only the surface of the vulnerabilities. What is more important is how serious the security advisories were and whether they've been patched.
Criticality and patch status
Secunia rates vulnerabilities on a five-point scale from extremely critical to not critical. In between are highly, moderately and less critical. For example, extremely critical usually refers to a remotely exploitable vulnerability that can lead to system compromise. At the other end, non-critical vulnerabilities are typically for those that involve "limited privilege escalation" and local denial of service issues.
Here's the good news: None of the major Unix operating systems had any extremely critical vulnerabilities in 2007. Some other stats:
- AIX had 47% moderately critical and 53% less critical vulnerabilities. None of them were unpatched.
- HP-UX had 21% highly, 45% moderately, 24% less, and 10% not critical. Two of its 29 vulnerabilities (7%) were unpatched.
- Solaris had 19% highly, 20% moderately, 30% less, and 31% not critical. Seven of its 88 vulnerabilities (8%) were unpatched.
What kind, what kind?
In addition to knowing quantity, severity and status, it's also crucial to know what kind of vulnerabilities they were. Secunia lists 12 different kinds of "impacts," including denial of service (DoS), privilege escalation and spoofing. So depending on which Unix variant you're running, this list can give you a good idea of what to watch for. Here's the rundown for the Unix operating systems.
- The most vulnerabilities in HP-UX were DoS (33%), followed by system access (29%) and security bypass (16%).
- Solaris also had most of its vulnerabilities in DoS (45%), followed by system access (23%) and privilege escalation (13%).
- AIX was a little different. Most of its vulnerabilities were in privilege escalation (36%), followed by DoS (27%) and system access (9%).
This was first published in January 2008