Home > Data Center Tips > > Comparing Unix operating system vulnerabilities
Data Center Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 


Comparing Unix operating system vulnerabilities


Mark Fontecchio, News Writer
01.17.2008
Rating: --- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Secunia is a well-known Danish company that tracks security vulnerabilities and viruses for thousands of software programs and operating systems. Vendors will often use information from Secunia to show how robust and secure their software is.

More on Unix systems and performance monitoring:
IBM AIX 6 virtualization catches up to Sun Solaris, HP-UX 

HP, Sun boost Unix OS security 

Unix updates bolster workhorse operating system

So let's take a look at the security vulnerability advisories in 2007 listed for each of the major Unix operating systems -- IBM's AIX, Hewlett-Packard's HP-UX, and Sun Microsystems' Solaris. The comparison looks at versions that were released for the entirety of the year, which means Solaris 10, HP-UX 11 and AIX 5 (AIX 6 wasn't released until November).

It's like golf...the lowest score wins
First, let's take a look at which operating system had the most vulnerability advisories:

  • According to Secunia, Solaris 10 had the most vulnerabilities reported in 2007 with 88. That works out to about 7 per month.
  • In the middle was HP-UX 11 with 29 vulnerabilities reported for the year. That's about 2 per month.
  • In the front was AIX 5 with 17 advisories. That's like 1.5 per month.

One thing to keep in mind with Solaris 10 is that it runs on x86 as well as Sparc, which may account for the higher numbers. A curious side note: Red Hat Enterprise Linux Advanced Server 4 had 123 advisories. But this is only the surface of the vulnerabilities. What is more important is how serious the security advisories were and whether they've been patched.

Criticality and patch status
Secunia rates vulnerabilities on a five-point scale from extremely critical to not critical. In between are highly, moderately and less critical. For example, extremely critical usually refers to a remotely exploitable vulnerability that can lead to system compromise. At the other end, non-critical vulnerabilities are typically for those that involve "limited privilege escalation" and local denial of service issues.

Here's the good news: None of the major Unix operating systems had any extremely critical vulnerabilities in 2007. Some other stats:

  • AIX had 47% moderately critical and 53% less critical vulnerabilities. None of them were unpatched.
  • HP-UX had 21% highly, 45% moderately, 24% less, and 10% not critical. Two of its 29 vulnerabilities (7%) were unpatched.
  • Solaris had 19% highly, 20% moderately, 30% less, and 31% not critical. Seven of its 88 vulnerabilities (8%) were unpatched.

What kind, what kind?
In addition to knowing quantity, severity and status, it's also crucial to know what kind of vulnerabilities they were. Secunia lists 12 different kinds of "impacts," including denial of service (DoS), privilege escalation and spoofing. So depending on which Unix variant you're running, this list can give you a good idea of what to watch for. Here's the rundown for the Unix operating systems.

  • The most vulnerabilities in HP-UX were DoS (33%), followed by system access (29%) and security bypass (16%).
  • Solaris also had most of its vulnerabilities in DoS (45%), followed by system access (23%) and privilege escalation (13%).
  • AIX was a little different. Most of its vulnerabilities were in privilege escalation (36%), followed by DoS (27%) and system access (9%).

Let us know what you think about the story; email Mark Fontecchio, News Writer. You can also check out our Server Specs blog.

Rate this Tip
To rate tips, you must be a member of SearchDataCenter.com.
Register now to start rating these tips. Log in if you are already a member.




BROWSE BY TAG
Sun Solaris Unix and Sparc server platforms,   Server hardware,   Unix operating systems and servers,   AIX, IBM pSeries server administration,   HP Integrity server, Itanium servers and HP-UX,   VIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   



RELATED CONTENT
Sun Solaris Unix and Sparc server platforms
Are containerized data centers catching on outside Microsoft, Google?
Will Oracle hold a Sun yard sale as the acquisition's value declines?
Sun Microsystems customers stew in limbo
Will Solaris on x86 survive the Oracle-Sun acquisition and Linux?
Unix updates are slower, and users like it that way
New eBay data center director dishes
How should Sun customers read Oracle's latest rumblings?
With Exadata, Oracle embraces Sun hardware
Solaris Project Crossbow offers virtualized network management
IBM announces Power7 upgrade path in uncertain Unix market

AIX, IBM pSeries server administration
Unix updates are slower, and users like it that way
IT pros pooh-pooh latest monopoly claims against IBM
IBM VMworld news in brief
IBM announces Power7 upgrade path in uncertain Unix market
Comparing Unix versions: AIX, HP-UX and Solaris
Top 50 universal Unix commands
IBM doubles refund for Sparc migrations: News in brief
Sun shops prefer Oracle to IBM, but worries persist
Uncertain future for Sun Microsystems overshadows new products
IBM withdraws from deal to purchase Sun; Dallas colo investigated

HP Integrity server, Itanium servers and HP-UX
Unix updates are slower, and users like it that way
Comparing Unix versions: AIX, HP-UX and Solaris
Itanium processor delays put HP's plans in question
Top 50 universal Unix commands
IBM doubles refund for Sparc migrations: News in brief
HP's Bladesystem Matrix to challenge Cisco's Unified Computing System
Reports of IBM, Sun buyout roil data center waters
IBM mainframe migration boosts OLTP, batch processing
IBM buys former adversary and mainframe startup PSI
Unix admin tutorial: How much memory is in this machine?

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary

DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.



White Papers - Data Center Networking

The Intel IT Technology Center - Power, Performance and Mobility Solutions
HomeNewsTopicsITKnowledge ExchangeTipsBlogsMultimediaWhite PapersEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2005 - 2009, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts