Comment The more accurate question (Score 5, Interesting) 935
Pure quantity of security holes really is not the most question. To me there are two factors:
1. How severe is the hole if exploited.
Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.
2. How easy to exploit is the whole.
Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.
These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
1. How severe is the hole if exploited.
Are we talking a DOS, a root compromise, the ability to take over a domain controller. The effect of a compromise needs to be taken into account.
2. How easy to exploit is the whole.
Is it a theoretical exploit, or are there tools floating around? Can it be easily mitigated by a good firewall, or can viewing an email cause the problem.
These questions seem to me more important than pure quantity and should be taken into account when building a threat assesment of a system.
