Nobody likes security patching but for the time being at least, it’s a necessary evil for everyone regardless what operating system you use. With this issue we begin a monthly summary of security bulletins for three leading operating systems: Red Hat Enterprise Linux ES (v. 4), SUSE Linux Enterprise Server 10 and Windows Server 2003 Enterprise Edition. We don’t intend for you to use this as a trigger for your patch management process – you should already be subscribed to your vendor’s respective security bulletin notification services. But taking a periodic break from the patch management grind can be refreshing and informative. Indeed, a little bit of simple trend analysis and comparison can be illuminating when it comes to the matter of security patching and different operating systems.

In each issue, you’ll find a bar chart showing the total number of security patches for each OS for the preceding three months or so. To get a month-by-month view and compare to previous months, you’ll also find a line chart showing total number of security bulletins for each OS over the past three months. If you are interested in the detailed data upon which the charts are based, you can peruse the lists of security bulletins for each OS below and follow the supplied link to each vendor’s respective Web page where security bulletins are published.

Of course, charts never tell the whole story because they are by definition a summarization of data. Each patch can vary greatly by a number of different factors. For instance patches vary in terms of severity; some patches just aren’t as serious as others. Depending on your particular security requirements and risk posture, vulnerability type may make a big difference to you in terms of how important the corresponding patch is. Maybe Denial Of Service vulnerabilities are a lot less important to you than Remote Code exploits that allow the attacker to execute arbitrary code in the security context of the system itself. Likewise, many exploits discovered pose a greater risk to systems used as end-user workstations rather than the normal usage patterns associated with a server managed by administrators that follow important best practices such as avoiding end-user activities like web browsing while logged on at a server.

On the other hand, every patch that needs to be deployed has definite costs associated with it in terms of impact analysis, testing, installation and follow-up. At the same time, some of the costs related to patching can be mitigated, depending on the quality of an organization’s management tools stack. So, simple comparisons of quantities of patches could be misleading if you use it as an inflexible yardstick but they serve a purpose if you use such summaries as a starting place for your analysis. When you find a trend that looks significant, be willing to drill-down and look at the details to make sure you are getting the right picture. Consider the severity, vulnerability type, mitigating factors among other data to tell the whole story.

SUSE Linux Enterprise Server 10 http://www.novell.com/linux/security/advisories.html

• 2/27/2007, Linux Kernel, Important, SUSE-SA:2007:018

• 2/23/2007, clamav 0.90 remote denial of service, Important, SUSE-SA:2007:017

• 2/15/2007, samba remote denial of service, Important, SUSE-SA:2007:016

• 1/30/200, bind remote denial of service, Important, SUSE-SA:2007:014

• 1/23/2007, xine, Moderate, SUSE-SA:2007:013

• 1/23/2007, squid, Moderate, SUSE-SA:2007:012

• 1/15/2007, Opera 9.10 remote code execution, Important, SUSE-SA:2007:009

• 1/12/2007, XFree86/Xorg local privilege escalation, Important, SUSE-SA:2007:008

• 1/12/2007, cacti cmd injection, Important, SUSE-SA:2007:007

• 1/12/2007, mozilla remote denial of service, Important, SUSE-SA:2007:006

• 1/10/2007, w3m remote denial of service, Important, SUSE-SA:2007:005

• 1/10/2007, krb5 remote denial of service, Important, SUSE-SA:2007:004

• 1/9/2007, Sun Java security update, Critical, SUSE-SA:2007:003

• 1/4/2007, mono-web ASP.net sourcecode disclosure, Moderate, SUSE-SA:2007:002

• 12/29/2007, Mozilla Firefox, Thunderbird remote code execution, Important, SUSE-SA:2006:080

• 12/21/2007, Linux kernel, Important, SUSE-SA:2006:079

• 12/18/2007, clamav 0.88.7 remote denial of service, Important, SUSE-SA:2006:078

• 12/14/2007, flash-player CRLF injection, Important, SUSE-SA:2006:077

• 12/14/2007, libgsf buffer overflows, Critical, SUSE-SA:2006:076

• 12/13/2007, gpg remote code execution, Critical, SUSE-SA:2006:075

• 12/1/2007, mono local privilege escalation, Important, SUSE-SA:2006:073

RedHat Red Hat Enterprise Linux ES (v. 4) http://rhn.redhat.com/errata/rhel4es-errata-security.html

• 02/27/07, kernel security update, Important, RHSA-2007:0085

• 02/26/07, seamonkey security update, Critical, RHSA-2007:0077

• 02/23/07, Firefox security update, Critical, RHSA-2007:0079

• 02/21/07, spamassassin security update, Important, RHSA-2007:0074

• 02/20/07, gnomemeeting security update, Critical, RHSA-2007:0086

• 02/19/07, php security update, Important, RHSA-2007:0076

• 02/15/07, ImageMagick security update, Moderate, RHSA-2007:0015

• 02/15/07, samba security update, Moderate, RHSA-2007:0060

• 02/08/07, dbus security update, Moderate, RHSA-2007:0008

• 02/07/07, postgresql security update, Moderate, RHSA-2007:0064

• 02/06/07, bind security update, Moderate, RHSA-2007:0044

• 01/31/07, fetchmail security update, Moderate, RHSA-2007:0018

• 01/31/07, squirrelmail security update, Moderate, RHSA-2007:0022

• 01/30/07, kernel security update, Important, RHSA-2007:0014

• 01/24/07, gtk2 security update, Moderate, RHSA-2007:0019

• 01/11/07, libgsf security update, Moderate, RHSA-2007:0011

• 01/10/07, xorg-x11 security update, Important, RHSA-2007:0003

• 01/03/07, openoffice.org security update, Important, RHSA-2007:0001

• 12/19/06, tar security update, Moderate, RHSA-2006:0749

• 12/19/06, firefox security update, Critical, RHSA-2006:0758

• 12/19/06, seamonkey security update, Critical, RHSA-2006:0759

• 12/19/06, thunderbird security update, Critical, RHSA-2006:0760

• 12/12/06, gnupg security update, Important, RHSA-2006:0754

• 12/06/06, mod_auth_kerb security update, Low, RHSA-2006:0746

Windows Server 2003 Enterprise Edition http://www.microsoft.com/technet/security/default.mspx

• 2/13/2007, Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723), Important, MS07-005

• 2/15/2007, Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255), Important, MS07-006

• 2/13/2007, Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802), Important, MS07-007

• 2/13/2007, Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843), Critical, MS07-008

• 2/13/2007, Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436), Important, MS07-011

• 2/13/2007, Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667), Important, MS07-012

• 2/28/2007, Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118), Important, MS07-013

• 2/21/2007, Cumulative Security Update for Internet Explorer (928090), Critical, MS07-016

• 1/9/2007, Vulnerability in Vector Markup Language Could Allow Remote Code Execution (KB929969), Critical, MS07-004

• 12/12/2006, Cumulative Security Update for Internet Explorer (KB925454), Critical, MS06-072

• 12/12/2006, Vulnerability in SNMP Could Allow Remote Code Execution (KB926247), Important, MS06-074

• 12/12/2006, Cumulative Security Update for Outlook Express (KB923694), Important, MS06-076

• 12/12/2006, Vulnerability in Windows Media Format Could Allow Remote Code Execution (KB923689), Critical, MS06-078