10 Most Vulnerable Software Apps of 2009
by Ryan Naraine | December 23, 2009 4:08am PST | Image 1 of 10
Previous | Next
Adobe Acrobat, Adobe Reader
Vulnerabilities that allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. Buffer overflow in Adobe Reader 9.0 and earlier, and Acrobat 9.0 and earlier, allows remote attackers to execute arbitrary code via a crafted PDF document, related to a non-JavaScript function call and possibly an embedded JBIG2 image stream, as exploited in the wild in February 2009 by Trojan.Pidief.E. allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via (1) a crafted Flash application in a .pdf file or (2) a crafted .swf file, related to authplay.dll, as exploited in the wild in July 2009.
Just In
Apple QuickTime before 7.6 allows remote attackers to cause a denial of service (application termination) and execute arbitrary code via an AVI movie file with an invalid nBlockAlign value in the _WAVEFORMATEX structure. k l
Everybody reading this article should understand by now that
these threats only apply on Windows. If so, then why on Earth
are not the two worst culprits in computer history, IE and
Outlook, there in the list?
Perhaps you just "forgot"?
these threats only apply on Windows. If so, then why on Earth
are not the two worst culprits in computer history, IE and
Outlook, there in the list?
Perhaps you just "forgot"?
Because this is about 2009. And in 2009, MS security performance hasn't been stellar (has it ever?), but it has been better than some competitors'.
I find it interesting to note that beyond Adobe, infamous offender for the last few years, Firefox and Apple are taking a beating. So much for Open source = secure, or Apple = perfect which have become mantras in the last few years.
At the end of day, it's all just software, and you win some, you lose some.
I find it interesting to note that beyond Adobe, infamous offender for the last few years, Firefox and Apple are taking a beating. So much for Open source = secure, or Apple = perfect which have become mantras in the last few years.
At the end of day, it's all just software, and you win some, you lose some.
Don't forget, though, that every security vulnerability in OSS is reported in the open and not patched internally without disclosure. This discrepancy can increase the apparent number of bugs in OSS versus proprietary software.
While you are making a correct statement, it can be misconstrued.
OSS software bug reporting and proprietary bug reporting practices have been consistent over the years. Since they have been consistent, then the OSS software (Firefox, etc.) have increased vulnerabilities *In Spite Of* being open. If this is indeed the case, then the OSS increased vulnerability is NOT due to its Openness. Or, put more clearly, "If They've ALWAYS been Open-source, why are vulnerabilities increasing?"
Similarly: It's admirable that Microsoft is not on this list. While some people may say it's only because its proprietary and hidden, that's can't be the reason. It's proprietary status hasn't changed, and over the last decade, people have had NO problems finding vulernabilities with the source code not available.
Last observation: People fled IE to Firefox with the main argument is "it's more secure". Those were the ads I saw, those were the stories I've read. It was in the New York Times. It's interesting that those same authors are suddenly silent when Firefox has more exploits out there than IE. And I doubt people are going to switch back to IE due to security. Interesting.
OSS software bug reporting and proprietary bug reporting practices have been consistent over the years. Since they have been consistent, then the OSS software (Firefox, etc.) have increased vulnerabilities *In Spite Of* being open. If this is indeed the case, then the OSS increased vulnerability is NOT due to its Openness. Or, put more clearly, "If They've ALWAYS been Open-source, why are vulnerabilities increasing?"
Similarly: It's admirable that Microsoft is not on this list. While some people may say it's only because its proprietary and hidden, that's can't be the reason. It's proprietary status hasn't changed, and over the last decade, people have had NO problems finding vulernabilities with the source code not available.
Last observation: People fled IE to Firefox with the main argument is "it's more secure". Those were the ads I saw, those were the stories I've read. It was in the New York Times. It's interesting that those same authors are suddenly silent when Firefox has more exploits out there than IE. And I doubt people are going to switch back to IE due to security. Interesting.
Most Vulnerable Operating Systems
X-Force tracks vulnerabilities by platform and has produced metrics this year
to show the operating systems with the most disclosed vulnerabilities. The
following chart shows the operating systems with the most vulnerabilities
documented in 2008. The top ten operating systems account for nearly 75% of
all vulnerability disclosures affecting operating systems.
Operating System Percentage
Apple Mac OS X Server 14.3
Apple Mac OS X 14.3
Linux Kernel 10.9
Sun Solaris 7.3
Microsoft Windows XP 5.5
Microsoft Windows 2003 Server 5.2
Microsoft Windows Vista 4.1
Microsoft Windows 2000 4.8
Microsoft Windows 2008 4.1
IBM AIX 3.7
Others 24.9
Table 7: Operating Systems with the Most Vulnerability Disclosures, 2008
Several operating systems have remained in the top five list over the past three years:
? Apple Mac OS X
? Apple Mac OS X Server
? Linux Kernel
X-Force tracks vulnerabilities by platform and has produced metrics this year
to show the operating systems with the most disclosed vulnerabilities. The
following chart shows the operating systems with the most vulnerabilities
documented in 2008. The top ten operating systems account for nearly 75% of
all vulnerability disclosures affecting operating systems.
Operating System Percentage
Apple Mac OS X Server 14.3
Apple Mac OS X 14.3
Linux Kernel 10.9
Sun Solaris 7.3
Microsoft Windows XP 5.5
Microsoft Windows 2003 Server 5.2
Microsoft Windows Vista 4.1
Microsoft Windows 2000 4.8
Microsoft Windows 2008 4.1
IBM AIX 3.7
Others 24.9
Table 7: Operating Systems with the Most Vulnerability Disclosures, 2008
Several operating systems have remained in the top five list over the past three years:
? Apple Mac OS X
? Apple Mac OS X Server
? Linux Kernel
Really, why do you shills continue to flog such an unsubstantiated piece of crap?
Do you really think your scare tactics are going to drive everybody back to using only Windoze?
Do you really think your scare tactics are going to drive everybody back to using only Windoze?
WHY would IBM post a list that makes their OS look bad?
C'mon, if Big Blue was shilling this list, AIX wouldn't even be IDENTIFIED on it!
Windows will NEVER be a PERFECT OS; neither will Mac's OS, or LINUX, or ANY non-self-repairing OS (in effect, any non-sentient OS). As long as an operating system needs external programmers to adjust and modify the master code - in other words, as long as HUMANS have control of the operating system, and therefore the machinery - NO OS will be perfect. PERIOD!
So get OVER these OS Wars, children.
C'mon, if Big Blue was shilling this list, AIX wouldn't even be IDENTIFIED on it!
Windows will NEVER be a PERFECT OS; neither will Mac's OS, or LINUX, or ANY non-self-repairing OS (in effect, any non-sentient OS). As long as an operating system needs external programmers to adjust and modify the master code - in other words, as long as HUMANS have control of the operating system, and therefore the machinery - NO OS will be perfect. PERIOD!
So get OVER these OS Wars, children.
You sure you haven't lost yours?
lol...
~
We don't even really know if IBM even created that pdf. It has no footnotes or third party references to back up any claims it makes about Apple or Linux.
Now as to what is in there, the report is pretty unflattering to M$, but that's just common knowledge so it doesn't tell us anything new. Points that honeymonster conveniently likes to leave out or not talk about. It's understandable since shills don't like to shed light on any negative aspects for their product.
~
Now maybe next Christmas when you've been a good apologist all year, Santa might leave something under the tree for you. That way you won't be the one wh loses his "grip". Ok?
lol...
~
We don't even really know if IBM even created that pdf. It has no footnotes or third party references to back up any claims it makes about Apple or Linux.
Now as to what is in there, the report is pretty unflattering to M$, but that's just common knowledge so it doesn't tell us anything new. Points that honeymonster conveniently likes to leave out or not talk about. It's understandable since shills don't like to shed light on any negative aspects for their product.
~
Now maybe next Christmas when you've been a good apologist all year, Santa might leave something under the tree for you. That way you won't be the one wh loses his "grip". Ok?
Everyone, or nearly everyone, here, seems to beat up on Richie-Rich Bill's Micro$oft products, and yet, I've been running IE all along, and once I installed Live One Care and KEPT IT UP TO DATE (which is VITAL no matter WHOSE A-V software you run, dummies!), I haven't been slammed, slimed, bugged, or busted in any way, shape, or form, at home.
Meanwhile, LOTS of people would appear to be getting overWHELMED by various attacks while running Firefox, Opera, or even more esoteric browsers on Wintel boxes, and even a few Macs are starting to get hit - probably because now that Apple is bragging more and more about how they're "so safe, so sane, and so secure," the hackers and crackers are feeling the challenge!
Hey APPLE! Anyone ever tell you NERDS the worst thing you can do is jump in the pasture and wave a RED FLAG at a bull?
But I digress. IE is like ANY OTHER Internet browser; only as secure as YOU or I make it; only as secure as we keep it. Practice safe computing, avoid obvious honey traps, and you won't get stung. Or at least, not as often. MONITOR your e-mail, and you're going to be safer, too.
Yeah, I know, I sound like your sainted Grandmother. So what? She was smarter than you want to admit, wasn't she? Tough. Live with it.
Meanwhile, LOTS of people would appear to be getting overWHELMED by various attacks while running Firefox, Opera, or even more esoteric browsers on Wintel boxes, and even a few Macs are starting to get hit - probably because now that Apple is bragging more and more about how they're "so safe, so sane, and so secure," the hackers and crackers are feeling the challenge!
Hey APPLE! Anyone ever tell you NERDS the worst thing you can do is jump in the pasture and wave a RED FLAG at a bull?
But I digress. IE is like ANY OTHER Internet browser; only as secure as YOU or I make it; only as secure as we keep it. Practice safe computing, avoid obvious honey traps, and you won't get stung. Or at least, not as often. MONITOR your e-mail, and you're going to be safer, too.
Yeah, I know, I sound like your sainted Grandmother. So what? She was smarter than you want to admit, wasn't she? Tough. Live with it.
The claim that Microsoft and other closed
source companies fix their bugs secretly is one
of the worst myths in OSS.
Security vulnerabilities are disclosed because
they are being patched . Some customers
(notably enterprises) want's to know
exactly why they need to apply a patch.
They need to know what would be the risk if
they block a certain patch in the name of
stability. Hence, they need to know what
vulnerabilities are being patched what the
possible impact is.
That is why Microsofts security bulletins are
so detailed, much more so than the typical open
source bulletins.
In fact, products like Firefox contain more
vulnerabilities than what is being counted
on e.g. Secunia. The reason: Mozilla will
routinely treat patches in underlying
libraries as a single FF vuln, even
though the libraries patched multiple
vulnerabilities.
In the case of Linux, Mr. Linus Torvalds has
publicly stated that he does not see any reason
to label his fixes as security-related. Alas, a
number of Linux vulnerabilities will be fixed
but never reported as being security related.
The cold hard truth - as noted by
practically all security researchers - is that
Microsoft has done a tremendous job of security
in their products since the inception of Secure
Development Lifecycle (SDL).
The cold hard truth is that security and
stability (which FF has also lacked lately.
Strike that. Which FF has *always* lacked) is
closely related to the quality control of the
vendor. Not whether it is open source or not.
And Mozilla is lagging on quality control.
source companies fix their bugs secretly is one
of the worst myths in OSS.
Security vulnerabilities are disclosed because
they are being patched . Some customers
(notably enterprises) want's to know
exactly why they need to apply a patch.
They need to know what would be the risk if
they block a certain patch in the name of
stability. Hence, they need to know what
vulnerabilities are being patched what the
possible impact is.
That is why Microsofts security bulletins are
so detailed, much more so than the typical open
source bulletins.
In fact, products like Firefox contain more
vulnerabilities than what is being counted
on e.g. Secunia. The reason: Mozilla will
routinely treat patches in underlying
libraries as a single FF vuln, even
though the libraries patched multiple
vulnerabilities.
In the case of Linux, Mr. Linus Torvalds has
publicly stated that he does not see any reason
to label his fixes as security-related. Alas, a
number of Linux vulnerabilities will be fixed
but never reported as being security related.
The cold hard truth - as noted by
practically all security researchers - is that
Microsoft has done a tremendous job of security
in their products since the inception of Secure
Development Lifecycle (SDL).
The cold hard truth is that security and
stability (which FF has also lacked lately.
Strike that. Which FF has *always* lacked) is
closely related to the quality control of the
vendor. Not whether it is open source or not.
And Mozilla is lagging on quality control.
From what I have seen, so no.... Firefox being
less stable than IE is not a cold hard truth...
it's an outright goddamned lie!
As to 'security' in Firefox? Since it isn't
part of the OS, it's pretty secure just by
virtue of that!
And, with things like NoScript and AdBlock
(which block the three most common ways that
people get Firefox to run arbitrary code!)...
it's bulletproof.
less stable than IE is not a cold hard truth...
it's an outright goddamned lie!
As to 'security' in Firefox? Since it isn't
part of the OS, it's pretty secure just by
virtue of that!
And, with things like NoScript and AdBlock
(which block the three most common ways that
people get Firefox to run arbitrary code!)...
it's bulletproof.
NT
Firefox has *always* been marred by leaking
memory. Since their 3.x branch there has been a
very high number of memory corruption bugs,
many of them exploitable.
Like this: http://www.mozila.pl/blog/mozilla-
fixes-hundreds-of-firefox-memory-leaks/
Mozilla denies for the longest time that they
had a problem.
Firefox is still a little too crash-happy.
Mozilla still fixes memory corruption bugs with
each release. If there was no problem, what
exectly are they fixing.
More alarmingly, they seem to introduct *new*
memory bugs in newer releases. Their new JS
engine apparently still needs some work.
memory. Since their 3.x branch there has been a
very high number of memory corruption bugs,
many of them exploitable.
Like this: http://www.mozila.pl/blog/mozilla-
fixes-hundreds-of-firefox-memory-leaks/
Mozilla denies for the longest time that they
had a problem.
Firefox is still a little too crash-happy.
Mozilla still fixes memory corruption bugs with
each release. If there was no problem, what
exectly are they fixing.
More alarmingly, they seem to introduct *new*
memory bugs in newer releases. Their new JS
engine apparently still needs some work.
or just selective memory?
This is from Nov. 7 this year :
http://www.computerworld.com/s/article/9140498/
Mozilla_fixes_Firefox_crash_bug?
source=rss_security
"We're seeing lots of crashes in the
GIF decoder," noted Mozilla developer Joe Drew
in the message that kicked off the discussion
on Bugzilla
Firefox 3.5.5 also fixes a stability bug
in the Mac version, and another crash
problem in the Windows and Mac editions.
But I should probably take your anecdotal
evidence over an official statement from
Mozilla?
But I'm sure it's ok now. It's been, what,
almost 1 1/2 month?
It is ok to be a fan of Mozilla/Firefox. But
please don't make it into something that it
isn't. Firefox users have experienced the
crashes en masse. It is no secret, so
stop pretending.
This is from Nov. 7 this year :
http://www.computerworld.com/s/article/9140498/
Mozilla_fixes_Firefox_crash_bug?
source=rss_security
"We're seeing lots of crashes in the
GIF decoder," noted Mozilla developer Joe Drew
in the message that kicked off the discussion
on Bugzilla
Firefox 3.5.5 also fixes a stability bug
in the Mac version, and another crash
problem in the Windows and Mac editions.
But I should probably take your anecdotal
evidence over an official statement from
Mozilla?
But I'm sure it's ok now. It's been, what,
almost 1 1/2 month?
It is ok to be a fan of Mozilla/Firefox. But
please don't make it into something that it
isn't. Firefox users have experienced the
crashes en masse. It is no secret, so
stop pretending.
You are so convinced that you are right, that you
ignore ALL the evidence to the contrary.
Bulletproof lmao
ignore ALL the evidence to the contrary.
Bulletproof lmao
That Firefox has bugs? lol... 
Show me one piece of software that doesn't...
It's been about 9 months since Firefox crashed on me. As far as I'm concerned, that's not a bad record.
Show me one piece of software that doesn't...
It's been about 9 months since Firefox crashed on me. As far as I'm concerned, that's not a bad record.
What does OSS have to do with this? The last I knew, Adobe isn't OSS. And they appear to be the top offender.
taht you are dead. And once dead, you want be coming back.
Actual reality and what the ABM crowd likes to believe is reality are usually two very different things.
On a non-troll/flame note, question about Firefox being up there - I assume this is clean Firefox install they are talking about? How does Firefox with NoScript/AdBlock installed fare on this list?
And on a final note, Adobe doesn't get nearly enough flak around here for the junk software they release. At least the reader can be ditched in favor of Foxit Reader - faster, smaller, and much safer. But unforutnatly its difficult to get around using their web-enabled apps..
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
On a non-troll/flame note, question about Firefox being up there - I assume this is clean Firefox install they are talking about? How does Firefox with NoScript/AdBlock installed fare on this list?
And on a final note, Adobe doesn't get nearly enough flak around here for the junk software they release. At least the reader can be ditched in favor of Foxit Reader - faster, smaller, and much safer. But unforutnatly its difficult to get around using their web-enabled apps..
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
silverlight or the open plugin thing firefox keep harping on about will take off.
can only mitigate some of these attacks. The
vulnerability were/are still there.
NoScript/Adblock can only lessen the risk from
certain rogue sites.
When the attackers infect regular sites (which
they do over and over again - typically PHP and
ASP.OLD sites with SQL injection attacks) you
become vulnerable again.
The hilarious fact is that Mozilla still
neglects to implement a sandbox
which could save the users from most of the
consequences of these vulns. They will rather
play the JavaScript speed crown game with
Safari and Google than implement a proper
sandbox. Go figure.!
vulnerability were/are still there.
NoScript/Adblock can only lessen the risk from
certain rogue sites.
When the attackers infect regular sites (which
they do over and over again - typically PHP and
ASP.OLD sites with SQL injection attacks) you
become vulnerable again.
The hilarious fact is that Mozilla still
neglects to implement a sandbox
which could save the users from most of the
consequences of these vulns. They will rather
play the JavaScript speed crown game with
Safari and Google than implement a proper
sandbox. Go figure.!
Firefox usage still eats into the IE monopoly and the response time from Mozilla has been great. Browser competition sticks into your craw, doesn't it shill?
But if you are truly sincere and want to be given the benefit of the doubt about being concerned over Firefox security, then why are you over at their forums giving them some help?
https://bugzilla.mozilla.org/
https://support.mozilla.com/en-US/forum/1
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.6
You certainly have plenty of opportunity to bring whatever concerns you have to their attention.
Or is is there really another ulterior motive being discussed here... Hmmm?
But if you are truly sincere and want to be given the benefit of the doubt about being concerned over Firefox security, then why are you over at their forums giving them some help?
https://bugzilla.mozilla.org/
https://support.mozilla.com/en-US/forum/1
http://www.mozilla.org/security/known-vulnerabilities/firefox35.html#firefox3.5.6
You certainly have plenty of opportunity to bring whatever concerns you have to their attention.
Or is is there really another ulterior motive being discussed here... Hmmm?
they still have security issues that remain open and will get them listed as one of the 10 Most Vulnerable Software Apps of 2010?
they are far less vulnerable than Firefox,
Quicktime, Realplayer, Flash etc.
Put simply, many security researchers now point
to Microsofts SDL as the example to follow.
And IE, Outlook and Chrome are all protected by
a sandbox (low integrity processes). So even
when a vulnerability is found the damage
an attack can do to a default Vista/7 system is
extremely limited. The attacker cannot
even change internet preferences, much less
drop files or change the system.
Goes without saying that Firefox and Safari
*both* lack a proper sandbox.
Quicktime, Realplayer, Flash etc.
Put simply, many security researchers now point
to Microsofts SDL as the example to follow.
And IE, Outlook and Chrome are all protected by
a sandbox (low integrity processes). So even
when a vulnerability is found the damage
an attack can do to a default Vista/7 system is
extremely limited. The attacker cannot
even change internet preferences, much less
drop files or change the system.
Goes without saying that Firefox and Safari
*both* lack a proper sandbox.
Because Microsoft wasn't telling them how they
made the one in IE, to give them an example to
go by.
I'm usually on Microsoft's side, but that is
the blunt truth here.
They need to get on Microsoft's case about not
giving other software developers the data and
information they need to take advantage of
built-in things like sandboxing, which is good
for ANY application.
made the one in IE, to give them an example to
go by.
I'm usually on Microsoft's side, but that is
the blunt truth here.
They need to get on Microsoft's case about not
giving other software developers the data and
information they need to take advantage of
built-in things like sandboxing, which is good
for ANY application.
Has Mozilla whined about not being privy to
information re: low integrity mode? no. Would
they have been right? no.
Detailed documentation on integrity levels was
available more than a year before Vista was
launched.
Adobe implemented a sandbox (low integrity
mode) compliant Flash player by using Microsoft
publicly available documentation.
Stop apologizing for Mozilla. The information
has been readily available for years.
Why would you need to make up such a claim?
information re: low integrity mode? no. Would
they have been right? no.
Detailed documentation on integrity levels was
available more than a year before Vista was
launched.
Adobe implemented a sandbox (low integrity
mode) compliant Flash player by using Microsoft
publicly available documentation.
Stop apologizing for Mozilla. The information
has been readily available for years.
Why would you need to make up such a claim?
Or do you not know the shoe fits both ways...
I'm sorry but you lost me at Internet Explorer is less vulnerable than Firefox.
1) IE experiences fewer vulnerabilities. Has
been like that for years, actually. Even
Firefox 2 had many more vulns than the
contemporary IE7
2) IE has a very efficient sandbox. It
leverages low integrity mode (so does Google
Chrome). This means that even when an attacker
successfully exploits a vuln, he can still
not make changes to files, registry or even
browser settings . He can not install new
"toolbars" or browser "helpers".
Mozilla is the hero in open source, and the
religious (not claiming that you are) OS
fanatics are still spreading the myth that FF
is less vulnerable and more secure.
Firefox is THE most vulnerable piece of
software of 2009!
been like that for years, actually. Even
Firefox 2 had many more vulns than the
contemporary IE7
2) IE has a very efficient sandbox. It
leverages low integrity mode (so does Google
Chrome). This means that even when an attacker
successfully exploits a vuln, he can still
not make changes to files, registry or even
browser settings . He can not install new
"toolbars" or browser "helpers".
Mozilla is the hero in open source, and the
religious (not claiming that you are) OS
fanatics are still spreading the myth that FF
is less vulnerable and more secure.
Firefox is THE most vulnerable piece of
software of 2009!
Can I kindly point out that Firefox 3.5 has no open security vulnerabilities and that IE 8 has 3. Don't believe me, check my sources.
http://secunia.com/advisories/product/25800/
http://secunia.com/advisories/product/21625/
I don't care about the total number, I do care if they don't get patched quickly.
http://secunia.com/advisories/product/25800/
http://secunia.com/advisories/product/21625/
I don't care about the total number, I do care if they don't get patched quickly.
Security vulnerabilities over the last year (or two) in IE, Outlook, and the MS operating systems have been substantially reduced compared to the past. When you do the research, you don't see them mentioned as much on the security reports compared to those listed in the article. Without doubt, Microsoft has been more diligent and responsible in this regard than other companies and the open-source communities quite generally. The enterprise I'm involved with has a better foundation of confidence in this fact and intends to migrate the remaining non-MS systems to what we are continuing to find is more reliable and secure with Microsoft products.
If you'll notice from the article, Adobe has much to learn and needs to learn from Microsoft -- and quite soon!
If you'll notice from the article, Adobe has much to learn and needs to learn from Microsoft -- and quite soon!
haha
(Adobe has much to learn and needs to learn from Microsoft)
Man, no one have to learn from Microsoft
do you believe what you say ? if so, maybe you live outside of the real world.
I will show your response to my friends - because they will not believe me that these days still exist peoples with such remarks.
Btw. what they can learn from Microsoft (how to lie ? how to let bugs untouched for years ? ...how to become a collection on unpolished drivers ?? )
Oh, man ...you so cool
(Adobe has much to learn and needs to learn from Microsoft)
Man, no one have to learn from Microsoft
do you believe what you say ? if so, maybe you live outside of the real world.
I will show your response to my friends - because they will not believe me that these days still exist peoples with such remarks.
Btw. what they can learn from Microsoft (how to lie ? how to let bugs untouched for years ? ...how to become a collection on unpolished drivers ?? )
Oh, man ...you so cool
http://www.pcworld.com/businesscenter/blogs/biz
feed/167111/opinion_pigs_fly_microsoft_leads_in
_security.html?tk=rss_news
"Talk about a turnaround. It's always hard
to recognize the larger, slow-moving paradigm
shifts as they happen. But after a decade of
bad press regarding its commitment to software
security, Microsoft seems to have turned the
tide. Redmond is getting consistent security
accolades these days, often from the very
critics who used to call it out. Many of the
world's most knowledgeable security experts are
urging their favorite software vendors to
follow in the footsteps of Microsoft.
Haters will always continue hating, but the
technical press is giving a lot of favorable
coverage to Microsoft's successful efforts to
make itself a computer software security
leader. Here are some recent examples:
"Microsoft for a long time rightly got a bad
reputation for insecure products. However, as
an industry we should recognize the sea change
in Microsoft's approach to security, of which
this [Microsoft's plans to share its Security
Development Lifecycle process components] is
just one example, and encourage other vendors
to follow Microsoft's lead." -- SANS
NewsBites"
feed/167111/opinion_pigs_fly_microsoft_leads_in
_security.html?tk=rss_news
"Talk about a turnaround. It's always hard
to recognize the larger, slow-moving paradigm
shifts as they happen. But after a decade of
bad press regarding its commitment to software
security, Microsoft seems to have turned the
tide. Redmond is getting consistent security
accolades these days, often from the very
critics who used to call it out. Many of the
world's most knowledgeable security experts are
urging their favorite software vendors to
follow in the footsteps of Microsoft.
Haters will always continue hating, but the
technical press is giving a lot of favorable
coverage to Microsoft's successful efforts to
make itself a computer software security
leader. Here are some recent examples:
"Microsoft for a long time rightly got a bad
reputation for insecure products. However, as
an industry we should recognize the sea change
in Microsoft's approach to security, of which
this [Microsoft's plans to share its Security
Development Lifecycle process components] is
just one example, and encourage other vendors
to follow Microsoft's lead." -- SANS
NewsBites"
Instead of ranting hysterically.
Now go brush your teeth. Or what you have left of them.
lol...
Now go brush your teeth. Or what you have left of them.
lol...
The facts are out there. What MS detractors
have is Microsoft Hate Disease.
That is why they get frustrated and start
personal attacks when the actual facts -
such as vulnerabilities founds - point in the
opposite direction from their belief system.
You see, this was never about actual facts. It
is about identity. Some people find comfort in
the feeling that they belong in an elite group.
A group of people who can see clearly what
others can't.
The FACT that Firefox was the worst software
(of all) in 2009 have them all the way up in
the red field. This the the hero, the
posterchild. Firefox cannot be allowed to be
worse on security than any other product.
But it is. It has more vulnerabilities (even
more than what is officially counted) than any
other browser. It lacks basic protection
mechanisms such as sandboxing - which is
already found in Chrome and IE.
have is Microsoft Hate Disease.
That is why they get frustrated and start
personal attacks when the actual facts -
such as vulnerabilities founds - point in the
opposite direction from their belief system.
You see, this was never about actual facts. It
is about identity. Some people find comfort in
the feeling that they belong in an elite group.
A group of people who can see clearly what
others can't.
The FACT that Firefox was the worst software
(of all) in 2009 have them all the way up in
the red field. This the the hero, the
posterchild. Firefox cannot be allowed to be
worse on security than any other product.
But it is. It has more vulnerabilities (even
more than what is officially counted) than any
other browser. It lacks basic protection
mechanisms such as sandboxing - which is
already found in Chrome and IE.
All you're doing is preaching to your own choir and producing unsubstantiated FUD about OSes that hardly constitute a threat to the mighty Micro$oft market share.
Or do they... Hmmm?
Or do they... Hmmm?
Why should "Everybody reading this article
should understand by now that these threats
only apply on Windows"?
Firstly, both Apple and Open-source software
has been affected by security issues, not just
Windows software. Did you actually look at the
list?
Secondly, though I am fairly eclectic in my
software use - I use Firefox, Chrome and
Internet Explorer for different types of
browsing or dependent on what I am doing online
- and am therefore no more of a fan of chrome
than firefox or firefox than IE or whatever, I
have followed this years security issues and
responses and you know what the overall winner
was for web browsing security was - Internet
Explorer. Did you not read this years tech news
or did you just 'forget'?
should understand by now that these threats
only apply on Windows"?
Firstly, both Apple and Open-source software
has been affected by security issues, not just
Windows software. Did you actually look at the
list?
Secondly, though I am fairly eclectic in my
software use - I use Firefox, Chrome and
Internet Explorer for different types of
browsing or dependent on what I am doing online
- and am therefore no more of a fan of chrome
than firefox or firefox than IE or whatever, I
have followed this years security issues and
responses and you know what the overall winner
was for web browsing security was - Internet
Explorer. Did you not read this years tech news
or did you just 'forget'?
Because, even though it's had some bugs, it's
not really IE so much anymore that's the big
attack vector as it is the third party
products.
Microsoft has been doing very good recently
with their monthly updates, and even though I'm
not a big fan of waiting a month, I'm even less
of a fan of Adobes' patch schedule, which is
quarterly. That's, frankly, way too long to
wait for a patch.
In addition, this time around IE has a sandbox.
Processes that run in IE have reduced
permissions. Even if something is exploited,
it's much harder to use that exploit to damage
the user's files or system files.
I think Microsoft has really improved IE's
security, and most of the vulnerabilities are
in third party products.
not really IE so much anymore that's the big
attack vector as it is the third party
products.
Microsoft has been doing very good recently
with their monthly updates, and even though I'm
not a big fan of waiting a month, I'm even less
of a fan of Adobes' patch schedule, which is
quarterly. That's, frankly, way too long to
wait for a patch.
In addition, this time around IE has a sandbox.
Processes that run in IE have reduced
permissions. Even if something is exploited,
it's much harder to use that exploit to damage
the user's files or system files.
I think Microsoft has really improved IE's
security, and most of the vulnerabilities are
in third party products.
@Mikael_z OSS software bug reporting and proprietary bug reporting practices have been consistent over the years. Since they have been consistent, then the OSS software (Firefox, etc.) have increased vulnerabilities *In Spite Of* being open. If this is indeed the case, then the OSS increased vulnerability is NOT due to its Openness. Or, put more clearly, "If They've ALWAYS been Open-source, why are vulnerabilities increasing?"
Similarly: It's admirable that Microsoft is not on this list. While some people may say it's only because its proprietary and hidden, that's can't be the reason. It's proprietary status hasn't changed, and over the last decade, people have had NO problems finding vulernabilities with the source code not available.
Last observation: People fled IE to Firefox with the main argument is "it's more pembe maske energy balance oyna oyunu moliva orjin krem tutune son nanomatik complex 41 new fx15secure". Those were the ads I saw, those were the stories I've read. It was in the New York Times. It's interesting that those same authors are suddenly silent when Firefox has more exploits out there than IE. And I doubt people are going to switch back to IE due to security. Interesting.
Similarly: It's admirable that Microsoft is not on this list. While some people may say it's only because its proprietary and hidden, that's can't be the reason. It's proprietary status hasn't changed, and over the last decade, people have had NO problems finding vulernabilities with the source code not available.
Last observation: People fled IE to Firefox with the main argument is "it's more pembe maske energy balance oyna oyunu moliva orjin krem tutune son nanomatik complex 41 new fx15secure". Those were the ads I saw, those were the stories I've read. It was in the New York Times. It's interesting that those same authors are suddenly silent when Firefox has more exploits out there than IE. And I doubt people are going to switch back to IE due to security. Interesting.
"Everybody reading this article should understand by now that
these threats only apply on Windows."
Sorry - read on OSX is featured here later in the list. The Myth of Mac invulnerability is now dead. The first MacBotnet was discovered this year and Mac Malwareas numbers in the hundreds - bearing in mind a report last year reckoned there were only 47 - a huge increase.
Not as many as Windows - but we're not in denial and have tools to deal with it.
these threats only apply on Windows."
Sorry - read on OSX is featured here later in the list. The Myth of Mac invulnerability is now dead. The first MacBotnet was discovered this year and Mac Malwareas numbers in the hundreds - bearing in mind a report last year reckoned there were only 47 - a huge increase.
Not as many as Windows - but we're not in denial and have tools to deal with it.
nt
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
"The views expressed here are mine and do not reflect the official opinion of my employer or the organization through which the Internet was accessed."
Or some other odor you possess...
I hope your post was ironic. Otherwise you
better stop listening to Apple marketing and
start listening to security researchers.
OS/X is just so easy to exploit, according to
Charlie Miller, of iPhone jailbreaking and
pwn2own fame. He regularly takes down OS/X in
plain drive-by attacks.
Don't tell us that you have bought the lie that
the pwn2own attacks required the user to enter
password?
better stop listening to Apple marketing and
start listening to security researchers.
OS/X is just so easy to exploit, according to
Charlie Miller, of iPhone jailbreaking and
pwn2own fame. He regularly takes down OS/X in
plain drive-by attacks.
Don't tell us that you have bought the lie that
the pwn2own attacks required the user to enter
password?
...but I keep running into Mac users that don't run any antivirus software, have no firewall, and don't password protect their network. Time to pop in the OSX disc again and reload the OS.........
MAC is still safe, no matter how much Microsoft pays to write a successful virus.
Though still not stellar.... however, Mozilla Firefox
doesn't really belong on the list there. With
additional add-ons, it's pretty much BULLETPROOF and
laughs at regular bullets like Superman, going "YOU
THINK YOU CAN HARM ME! HAHAHAHAHA!"
Really, Mozilla needs to bring NoScript in as part of
the browser sometime in the near future, along with
AdBlock.
I don't know how they will do it, but they simply have
to do it in this atmosphere, since Javascript is the
NUMBER ONE way that people are getting onto systems
without permission right now.
doesn't really belong on the list there. With
additional add-ons, it's pretty much BULLETPROOF and
laughs at regular bullets like Superman, going "YOU
THINK YOU CAN HARM ME! HAHAHAHAHA!"
Really, Mozilla needs to bring NoScript in as part of
the browser sometime in the near future, along with
AdBlock.
I don't know how they will do it, but they simply have
to do it in this atmosphere, since Javascript is the
NUMBER ONE way that people are getting onto systems
without permission right now.
Join the conversation!
The best of ZDNet, delivered
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Vendor Showcase
Facebook Activity
