mark :: blog
Earlier this month, Steve Christey posted a draft report of the Vulnerability
Type Distributions in CVE. The report notices, amongst other things, some differences between open and closed source vendors. I thought it would be more interesting to focus just on one of our released distributions to see if it made a difference to the trends. Steve kindly provided some reports based on a list of CVE names I gave him, and this led to the analysis and these two graphs.
First, the Vulnerability Type Distribution graph. This is not really a big surprise, the most common vulnerabilities we fix are buffer overflows.
Technologies such as ExecShield (PIE, support for NX, FORTIFY_SOURCE
and so on) were designed specifically to reduce the risk of being able
to exploit this flaw type. Secondly, compared to the industry as a whole we fix far less web application flaws
such as cross-site scripting or SQL injection. This result is to be expected as most of these are in PHP web applications we don't ship in our distributions.
Created: 24 Oct 2006
Tagged as: cve, metrics, red hat, security
(new comments disabled)
Hi! I'm Mark Cox. This blog gives my
thoughts and opinions on my security
work, open source, fedora, home automation,
and other topics.