CERT's Year-End Vulnerability Summary

The Computer Emergency Response Team (CERT) posted its 2005 Year-End Index, which is a summary of bulletins published by CERT in 2005. According to the report, there were 812 Windows operating system vulnerabilities, 2328 Unix/Linux operating vulnerabilities, and 2058 multiple operating system vulnerabilities. Don't let the numbers alone lead you to conclusions.

Based on the surface of such reports some people might exclaim that Unix and Linux systems are far less secure than Windows. However, numbers alone don't give a clear picture. Many other factors come into play when considering the overall security of an operating system.

The nature of vulnerabilities of course plays an important role. Another factor is the number of operating system versions in any given category. For example, there are several versions of Windows especially when considering the different varieties of a given version. The same basic premise holds true for Linux- and Unix-based operating systems.

The debate over which operating system is more secure has long been a point of rivalry. A true answer can only be arrived at by also considering a particular context in which the operating system will be used. 

One of the sundry values of CERT's extensive annual report is that it provides an interesting recap of how security researchers fared in their discovery work over the last twelve months. CERT issued bulletins for some 5198 vulnerabilities in 2005. Add to that the numerous other vulnerabilities that were discovered in 2005, but were not part of a bulletin issued by CERT, and we can conclude that security researchers were a very, very busy group.