Red Hat's director of security response, Mark Cox, has posted
some information about which security flaw types were most prevalent in the security fixes made by Red Hat in 2009. He compares those fixes with the Top 25 Most Dangerous Programming Errors
that were just published by MITRE and the SANS Institute.
"This quick review shows us that 2009 was the year of the kernel NULL pointer dereference flaw, as they could allow local untrusted users to gain privileges, and several public exploits to do just that were released. For Red Hat, interactions with SELinux prevented them being able to be easily mitigated, until the end of the year when we provided updates. Now, in 2010, the upstream Linux kernel and many vendors ship with protections to prevent kernel NULL pointers leading to privilege escalation.
to post comments)