For 2005, Microsoft fixed 37 critical issues with an average of 46 days from the flaw being known to the public to them having a patch available.
For 2005, Red Hat (across all products) fixed 21 critical issues with an average of 1 day from the flaw being known to the public to having a patch available. (To get the list and a XML spreadsheet, grab the data set mentioned in my previous blog and run "perl daysofrisk.pl --distrib all --datestart 20050101 --dateend 20051231 --severity C").
(The blog also looks at the time between notification to the company and a patch, whilst daysofrisk.pl currently doesn't report that, the raw data is there and I just need to coax it out to see how we compare to the 133 days for Microsoft)
But don't take my word for it, a people.redhat.com/mjc download the raw data files and the perl script and run it yourself, in this case
perl daysofrisk.pl --datestart 20050101 --dateend 20051231 --severity C --distrib rhel3
Different distributions, dates, and so on will give you different results, so you might like to customize it to see how well we did fixing the vulnerabilities that you cared about. (Zero days of risk doesn't always mean we knew about issues in advance either, the reported= date in the cve_dates.txt file can help you see when we got advance notice of an issue).
Turns out that on the Hitachi PD7200 plasma this is a serial port that is enabled by default, so you just need to know the right protocol and you can talk to the plasma. I don't have a PC close to the plasma, but last year I did buy some Lantronix MSS100 devices which have a 10/100 ethernet connection at one end, and a serial RS232 port at the other. I was't quite sure what I'd use them for, but for under 50 pounds each they seemed like a bargain at the time.
Hitachi technical support replied to my query within hours and sent me a couple of PDF documents outlining the protocol, so this was going to be much easier than guesswork.
Knowing the filename, google found this online version, Hitachi control protocol, pdf
A small amount of perl later, and I had script that could query the TV to find out various things (settings, channel, and interestingly the number of hours the TV has been on since it started life). The script can also get the TV to do various things like turn itself on and off and select channels.
Hitachi Plasma control (perl, 2k)
So now I have to think of a use for this. I guess I could get the TV to change channels when some event occurs (like one of the motion sensors triggering) or perhaps daily grab the TV panel lifetime to see how many hours of TV we watch a day (and perhaps what channels). Perhaps I could automatically dim the lights and select cinema mode if the channel is changed to DVD (although I could do that just using a programmable remote). I'm sure I'll think of a use for this eventually, but it was a fun diversion for a cold and wet Scottish weekend.
One of the top reasons that machines fall foul to security exploits is when they are not kept up to date with security issues. So it follows that to protect users a vendor needs to make security updates as easy and painless as possible. At conferences I highlight that one of the important things a Linux distribution gives you are updates across your entire stack - you don't need to use one system to grab your OS updates, another to get updates to your office application, the built-in update system in your Money tool, a manual update for Flash, and so on.
Red Hat released updates to PHP to correct this vulnerability for Red Hat Enterprise Linux 3 and 4 in July 2005. Red Hat Enterprise Linux 2.1 was not affected by this vulnerability. Fedora Core 4 and Fedora Core 3 also got updates in July.
Our analysis showed that the default SELinux targeted policy on Enterprise Linux 4 would have blocked the specific instances of this worm seen so far, but is not sufficient to block a worm written differently from exploiting this vulnerability if left unpatched. Time to make sure all your servers are up2date!
A simple source code change from using gdk_pixbuf_render_pixmap_and_mask(a,b,c,d) to gdk_pixbuf_render_pixmap_and_mask_for_colormap(a,gtk_colormap_get_system(),b,c,d) solved it.
The unit is very cute and got a lot of attention when I showed it off last weekend; but there are a few niggles - the biggest is a lack of a docking station. It's also far worse at picking up the weak wireless signal in the house than the Orinoco pcmcia cards.
The kernel accounted for 14% of all the vulnerabilities fixed, followed closely by mozilla (11%), ethereal (9%), squid (4%), gaim (4%), httpd (3%), php (3%), krb5 (2%).
In fact, half of all the vulnerabilities fixed are in only those 8 packages, and just 20 packages comprise of two-thirds of all vulnerabilities.
But we fix a large number of security issues rated as 'low' severity which can influence the data. So if we weight vulnerabilities by severity (I used a metric of "Critical *100 + Important*20 + Moderate*5 + Low") then you get this list:
Enterprise Linux 3 top 10 packages with the most 'more severe' issues:
Repeating this same process for Enterprise Linux 4, Firefox replaces Mozilla in the #1 position, thunderbird, HelixPlayer, and evolution (all new packages for Enterprise Linux 4) make the top 10 displacing libpng, cups, php, cvs.
Out of all those Red Hat Enterprise Linux vulnerablities, only 2 were critical based on the Microsoft severity scale. That means only 2 vulnerabilities could have potentially allowed a worm to spread without interaction. Out of the Microsoft vulnerabilities there are 8 critical.
So whilst it might be harder to hold 200 sweets in your hand without dropping a few, I'd rather be holding 200 sweets and 2 ticking timebombs than 30 sweets and 8 ticking timebombs.