MUST READ: Microsoft unleashes bug bounty program — for betas, too

Topic: Security

Discover

Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

Summary: According to Secunia's recently released "Yearly Vulnerability Research Report", third party applications rather than Microsoft programs are responsible for the majority of vulnerabilities.

Dancho Danchev

By for Zero Day |

According to Secunia's recently released "Yearly Vulnerability Research Report", third party applications rather than Microsoft programs are responsible for the majority of vulnerabilities.

Moreover, the report further confirms a popular myth which I already debunked in my "Seven myths about zero day vulnerabilities debunked" post, namely that patched vulnerabilities remain the the primary exploitation vector that malicious attackers take advantage of.

More from the report:

For all Secunia Advisories affecting a typical end-point in 2011, 72% had a patch available within one day of the disclosure of the vulnerability, and 77% of the advisories had a patch available within 30 days of disclosure.

This data indicates that there is limited room for 0-day exploits. The 28% of the advisories that had no patch available on the day of disclosure indicates an upperbound of potential for 0-day exploit availability. Microsoft even reports that less than 1% of the attacks in the first half of 2011 were attributed to 0-day exploits. Therefore, the mere possibility of 0-day exploits, a force majeure, does not justify ignoring 72% of the cases where effective remediation is possible and at users’ fingertips.Thus, organisations can hardly hide behind the threat of 0-days when a solution is available for 72% of vulnerabilities.

Averaged over a year, 2.7% of the Microsoft programs are found insecure compared to 6.5% of the third-party programs. Thus, on average,more than twice as many third-party programs are found unpatched than Microsoft programs.

What does this mean? It means that end and corporate users continue utilizing the potential of the Internet while using outdated third-party applications and browser plugins. In the past, Secunia has released detailed statistics on the average number of insecure applications per country, with Cuba and North America topping the chart.

End users are advised to ensure that they're using the latest versions of their third-party software, and browser plugins.

Related posts:

Topics: Security, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

20 comments
Log in or register to join the discussion

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    I see this all the time when I work on someone's PC. Either their Windows Updates are shut off or there are 85+ updates ready to install. Of course, as well as out dated or expired AV.
    jasqid
    Reply Vote

    • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

      @jasqid

      "third party programs rather than Microsoft programs responsible for most vulnerabilities"

      Exactly!

      Microsoft (like Apple) only have direct control over their own software. Microsoft and Apple don't distribute their software with embedded viruses.

      There is no way to stop other developers from developing malware.

      This is why it is important to have a fully secure operating system that is sandboxed from third-party apps.

      This is also why it is possible for outside developers to write successful viruses for Windows, and why not a single virus has been developed for Mac OS X in the 11 years that it has been in use.
      Harvey Lubin
      Reply Vote

      • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

        @Harvey Lubin "single virus has been developed for Mac OS X in the 11 years that it has been in use." <- That's ignorant, there have indeed been viruses for OSX in that time; although malware is far more common. Indeed, there haven't been many VIRUSES for Windows in quite a long time either. These days hacks and exploits are what you must look out for. And OSX has had its share.
        Imrhien
        Reply Vote

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    Well no kidding, this is like the 4th or 5th year in a row this report came out and stated the exact same thing. Microsoft Windows is secure because it is a very configurable OS. You can choose the permissions and rights you need on the file system. Internet Explorer has its own safety controls. There is a built-in firewall. That pretty much leaves it up to only third party apps to have vulnerabilities.
    Loverock Davidson-
    Reply Vote

    • no third party apps

      And a computer without any third party apps is good for.... What was that again?
      michaellashinsky@...
      Reply Vote

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    Maybe Microsoft should do something about all that "Fragmentation", it seems to be their biggest complaint about Android, it seems to me they should be looking at their own OS first before "slinging stones".
    Socratesfoot
    Reply Vote

    • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

      @Socratesfoot

      Unlike android microsoft offer the updates and programmes to keep secure. If people don't install them, it cant be blamed on MS
      danjames2012
      Reply Vote

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    for many people, dismissing update requests has become a knee-jerk reaction. even after you tell them those updates include security fixes they still complain about having to update their programs. it's ridiculous. especially, when updating usually only takes a minute.
    rorrr
    Reply Vote

    • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

      @rorrr indeed but get the people to pay for evey patch and service pack in the way apple does it -then people will do it !!
      LOL
      cyrrusthevirus
      Reply Vote

      • Evidence please!

        @cyrrusthevirus
        [i]"...get the people to pay for evey (sic) patch and service pack in the way apple does..."[/i]

        Patches and "service packs" for Mac OS X are downloaded [b]for free[/b] from Apple, in much the same way as in Windows.

        Apple gives you the [i]option[/i] of upgrading to the latest version (Lion - 10.7) for $30, as opposed to Windows 7 starting at $200 for the Home Premium version (where is the Home Basic version?) and up to $320 for the Ultimate version. (RRP)

        You can [i]try[/i] to criticise Apple based on its different version numbering system, but it only makes you look like an ignorant fool, or a troll.
        rahbm
        Reply Vote

    • "when updating usually only takes a minute"

      @rorrr
      If only that were the case. I spent over half an hour, including two reboots, to update each of my Windows machines at work on Friday. That [b]is[/b] ridiculous!

      Then there is all the time taken doing AV updates and scans, registry cleans, defrags and so on.
      rahbm
      Reply Vote

  • Failure in understanding

    The reason that windows can run so many programs with so little trouble is because of how open the system is. <br><br>Mac may be fabled as more secure, but it has much less software availble for it. Much of that software is more costly than the PC equiveliant. And correct me if I'm wrong, but I'm pretty sure that it's open-source community is virtually non-existant.<br><br>Linux may be the more secure, but the open-source and freeware that Linux is famous for comes with it's own hidden costs.<br><br>Both Mac and Linux users are lulled into a false sense of security that their systems are more secure, so they often don't even run antivirus!<br><br>Putting aside Microsoft's Windows Vista failure and it's impending Windows 8 fiasco, I must still give kudos to Microsoft. Historicaly, they have put high priority on securing it's flagship product and on getting security vulnerabilities patched as soon as possible. M$ actually has one of the highest ratings when it comes to releasing patches as soon or just soon after a vulnerability is discovered.<br><br>My experience aggrees with this report. Just the same as most virus and maleware infections can be avoided by simply running the latest antivirus and by moderating your behavior on the internet. Using unpatched or uncurrent software, if it can at all be avoided, is a shot in the foot.

    I know that everybody loves to blame Microsoft for all their problems, but you should first make sure that you AREN'T A PART of the problem... Just saying.
    blackepyon01@...
    Reply Vote

    • RE: Failure in understanding

      @blackepyon01@... wrote:<br>[i]Both Mac and Linux users are lulled into a false sense of security that their systems are more secure, so they often don't even run antivirus![/i]<br><br>Anti-virus products are very much over-rated on Windows. For example, the Zeus (or Zbot) banking Trojan:<br><br> <a href="https://zeustracker.abuse.ch/index.php" target="_blank" rel="nofollow">https://zeustracker.abuse.ch/index.php</a> <br><br>Note that the current ZeuS binary anti-virus average detection rate is currently at 36.4%.<br><br>Creating a standard or limited user account and running the OS as this user account for day-to-day use combined with application whitelisting via Windows Vista/7 built-in Parental Controls provides more protection from malware than does running anti-virus software. Of course, one can still choose to run anti-virus software in addition to utilizing strict least privilege and application whitelisting.<br><br>Mac OS X has malware scanning built-in to the OS. And desktop Linux, with it's 1-2% market share really has no need for anti-virus software. With Linux, the malware miscreants look for open ports and most Linux distros ship with very few open ports and they are usually protected with AppArmor (e.g., Ubuntu), a firewall (e.g., openSUSE), etc. However, some desktop Linux users do enable services (e.g., sshd, vpn) and configure them poorly.
      Rabid Howler Monkey
      Reply Vote

    • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

      @blackepyon01@...
      AV software isn't protection. Antivirus software systems are almost entirely focuses on removing viruses after the fact of the infection.

      If you patch against a virus-exploitable vulnerability, the virus will never infect your system in the first place.
      daikon
      Reply Vote

      • allowing specific virus strains

        @daikon,<br>I agree, Anti-virus is not a proactive solution, as someone alread pointed out, it's a reactive solution, but there are no other ways to protect our system, other than app whitelisting, limited account, sandboxing, and properly configured firewall. <br><br>In addition to this problem, I have seen an expensive commercial anti-virus software which allows a dangerous worm/trojan/dropper to hide in your system and steal something, even with updated patches and latest version of AV. Obviously an intentional backdoor created by the anti-virus software. So far I have seen one popular brand doing this. I have contacted the company and emailed them the strain, and they claimed it is in their database but my latest AV version with latest signatures didn't even detect it, let alone remove it. I'm not sure if this horrible practice is also done by other commercial AV software.<br><br>I know it's an intentional malware backdoor because the virus name and origin came from the same country with the said AV company.

        Again, just strengthens my belief on why not trust third party utilities to protect you. Code it on your own if you can or just get the said AV utility from the vendor of your OS as the OS vendor will surely attempt to protect their OS from malwares to protect their name.
        Martmarty
        Reply Vote

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    Read the link I sent to Joe (http://himmele.googlecode.com/svn/trunk/Operating%20Systems/Can%20We%20Make%20Operating%20Systems%20Reliable%20and%20Secure.pdf) and check out Singularity and Midori.

    OS implementations that bypass this whole silly "My OS is better than Your OS" were tried a number of times and software giants at companies like MS and universities everywhere are still busy trying.

    Fact is, ALL OSes, bar NONE, are vulnerable to several levels of attack. The more remote the administration of an OS, the less secure. The poorer the drivers/apps (and I'm looking at you, Mozilla, and your damn fool "buffer over/underrun" vulnerabilities... yeesh, no bounds checking? Really? Never overlooked that when I was writing code for the 8080) the less secure. The easier it is for third party apps to "help" the user in some way, the less secure. And even buggy device drivers (which the Mozilla implemtation of TCP/IP was an egregious example) can make you less secure.

    It's not the OS (at least, not just the OS). It's the user, his insatiable desire for "helpers" and "ease of use" and lazy programmers and programmers who are "under the gun" to SHIP IT (the vast majority) that give us buggy code with vulnerabilities.

    Been saying this since the days of CP/M. Maybe the truth will set us free of stupid "Linux is better then XP" and "XP is better than iOS" and other fanboi debates.
    RyuDarragh
    Reply Vote

    • Put yourself and your family out there for 10 years without AV.

      @RyuDarragh ... Like I did, and do all the important online transactions that you can, including banking, retirement, online purchases, FAFSA, and whatever else, You can trust Linux without AV, because it is secure. That never can be done with Microsoft and if you rely on AV, you run the risk of malware being missed and finding out after the fact. It's much better to have a secure OS than an insecure one like Windows and rely on external protection to cover the holes.
      Joe.Smetona
      Reply Vote

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    How about modifying Windows to post an annoying warning if you connect to Internet when Windows isn't up to date with security patches
    ThereThere
    Reply Vote

    • RE: Report: third party programs rather than Microsoft programs responsible

      @ThereThere This is what Linux and BSD have been doing for a long time, although I would not describe their update notices as annoying. I believe that this is where Microsoft is headed with Windows 8 and their App Store.

      However, for Windows XP/Vista/7 one needs to utilize a 3rd party service such as ninite or 3rd party software such as Secunia's Personal Software Inspector (PSI).
      Rabid Howler Monkey
      Reply Vote

  • RE: Report: third party programs rather than Microsoft programs responsible for most vulnerabilities

    Well of course! Microsoft is perfect, as many of the [s]trolls[/s] commenters on here will quickly tell you, and could not [i]possibly[/i] be responsible for the notorious and numerous crashes in Windows. (Said crashes, of course, are a figment of the imagination, according to the aforementioned sycophants.)

    OTOH, if Windows were a solid and secure platform, then poorly behaved apps could never cause these imaginary problems, could they? Sigh.
    rahbm
    Reply Vote
CNET Join | Log In | Privacy | Cookies Close