Comparing Unix operating system vulnerabilities

In this tip, SearchDataCenter.com looks at operating system vulnerability advisories from Secunia in 2007 for the three major Unix operating systems – AIX, HP-UX and Solaris.

Secunia is a well-known Danish company that tracks security vulnerabilities and viruses for thousands of software programs and operating systems. Vendors will often use information from Secunia to show how robust and secure their software is.

More on Unix systems and performance monitoring:
IBM AIX 6 virtualization catches up to Sun Solaris, HP-UX 

HP, Sun boost Unix OS security 

Unix updates bolster workhorse operating system

So let's take a look at the security vulnerability advisories in 2007 listed for each of the major Unix operating systems -- IBM's AIX, Hewlett-Packard's HP-UX, and Sun Microsystems' Solaris. The comparison looks at versions that were released for the entirety of the year, which means Solaris 10, HP-UX 11 and AIX 5 (AIX 6 wasn't released until November).

It's like golf...the lowest score wins
First, let's take a look at which operating system had the most vulnerability advisories:

  • According to Secunia, Solaris 10 had the most vulnerabilities reported in 2007 with 88. That works out to about 7 per month.
  • In the middle was HP-UX 11 with 29 vulnerabilities reported for the year. That's about 2 per month.
  • In the front was AIX 5 with 17 advisories. That's like 1.5 per month.

One thing to keep in mind with Solaris 10 is that it runs on x86 as well as Sparc, which may account for the higher numbers. A curious side note: Red Hat Enterprise Linux Advanced Server 4 had 123 advisories. But this is only the surface of the vulnerabilities. What is more important is how serious the security advisories were and whether they've been patched.

Criticality and patch status
Secunia rates vulnerabilities on a five-point scale from extremely critical to not critical. In between are highly, moderately and less critical. For example, extremely critical usually refers to a remotely exploitable vulnerability that can lead to system compromise. At the other end, non-critical vulnerabilities are typically for those that involve "limited privilege escalation" and local denial of service issues.

Here's the good news: None of the major Unix operating systems had any extremely critical vulnerabilities in 2007. Some other stats:

  • AIX had 47% moderately critical and 53% less critical vulnerabilities. None of them were unpatched.
  • HP-UX had 21% highly, 45% moderately, 24% less, and 10% not critical. Two of its 29 vulnerabilities (7%) were unpatched.
  • Solaris had 19% highly, 20% moderately, 30% less, and 31% not critical. Seven of its 88 vulnerabilities (8%) were unpatched.

What kind, what kind?
In addition to knowing quantity, severity and status, it's also crucial to know what kind of vulnerabilities they were. Secunia lists 12 different kinds of "impacts," including denial of service (DoS), privilege escalation and spoofing. So depending on which Unix variant you're running, this list can give you a good idea of what to watch for. Here's the rundown for the Unix operating systems.

  • The most vulnerabilities in HP-UX were DoS (33%), followed by system access (29%) and security bypass (16%).
  • Solaris also had most of its vulnerabilities in DoS (45%), followed by system access (23%) and privilege escalation (13%).
  • AIX was a little different. Most of its vulnerabilities were in privilege escalation (36%), followed by DoS (27%) and system access (9%).

Let us know what you think about the story; email Mark Fontecchio, News Writer. You can also check out our Server Specs blog.

Dig Deeper on Linux servers