IBM’s Xforce published their new 2008 annual report. In it they had this chart:
Surprising is that IBM put’s one of their own OS’s near the bottom of the list. Some of my opinions are :
1. No one uses AIX that much, so no one looks for holes in the code.
2. Any one who uses AIX, doesn’t have it directly connected to the Internet.
3. It is so cost prohibitive to use, that people are looking at Solaris/Linux or Windows to run their business on.
But the funniest thing about this is the last I used AIX the following were still done on install by IBM:
1. telnet enabled
2. root logins allowed remotely
3. no ssh comes with the OS, you have to install a crappy “linux toolkit”, and then install another 10 different packages to get SSH enabled.
4. No RBAC
5. Syslog configuration does not exist
6. Root does not even have a password on install
Seems to me that IBM needs to fix some fundamental issues with their OWN OS before they can say it is not one of the “Most Vulnerable Operating Systems”.
The funniest issue with this is for MacOSX to be listed at the top, all most all of those require some one to actually run something on the machine with administrative privileges.
So according to this list if you’re not going to run AIX the next best thing is windows? Wow. When was the last time you had to install and antivirus on your solaris, linux, or mac servers?
Maybe it’s just that Apple, Sun, and the Linux vendors actually patch vulnerabilities? While Microsoft and IBM hide behind there closed source OS and claim nothing is wrong.
I agree 100%…
One can look at this in another way as well. Is it really more secure just because it has less “published vlunerabilities?” I can argue that it is better to have open code such as the Linux (and Solaris) kernel, rather than closed code where there may be just as many, and more serious vulnerabilities. The whole proprietary (blind bug) mentality. Although according to that chart, it still doesn’t explain Apple 😉