Reckless IT pros are missing security holes in non-Microsoft software

Reckless IT pros are missing security holes in non-Microsoft software

Summary: Secunia reports that only 14 percent of the vulnerabilities found in the 50 most popular programs last year were in Microsoft products while 86 percent were in third-party software. It reckons IT professionals should do more to patch them … and it sells products to help

TOPICS: Security, Windows

Secunia's latest Vulnerability Review 2013 (PDF) reports that 86 percent of the vulnerabilities found in the 50 most popular programs in 2012 were in non-Microsoft programs.

Secunia--MM00581LOGO (200 x 77)

"Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs," says Secunia. "Ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary."

Not only are third-party software suppliers responsible for the vast majority of security vulnerabilities, they are responsible for an increasing share. The 14 percent of vulnerabilities found in Microsoft programs and Windows operating systems in 2012 is a dramatic improvement on the 22 percent found in 2011. The number was as high as 43 percent in 2007.

The Top 50 most popular programs comprised 29 Microsoft programs and 21 third-party programs, giving Microsoft a 58 percent share of the software under consideration. Microsoft's 14 percent share of the vulnerabilities was made up of 5.5 percent found in operating systems and 8.5 percent found in other Microsoft programs.

Of the 21 third-party programs, 1,137 vulnerabilities were found in 18 products from eight vendors.

The bulk of the vulnerabilities were found in web browsers and software from the usual suspects: Apple and Adobe. Google Chrome led the way with 291 vulnerabilities, followed by Mozilla Firefox (257), Apple iTunes (243), Adobe Flash (67), Oracle Java JRE SE (66), Adobe Air (56), Adobe Reader (43), and Apple QuickTime (29).

Windows 7 had the most vulnerabilities among the Microsoft products (50), followed by Internet Explorer (41) and the .Net Framework (14).

All this warns against relying too much on numbers. Google Chrome is sandboxed to provide a high level of security, and it's updated very frequently. It's much safer than its score might suggest. By contrast, Oracle Java JRE SE has been a security disaster to the point where the most rational approach is to uninstall it, regardless of its lower score.

Secunia points out that Windows 7 had a high number of vulnerabilities last year, as "a result of the work of one security researcher, who decided to dig into one specific component, win32k.sys. By doing so, he discovered 22 vulnerabilities in 2010 and 59 vulnerabilities in 2011." Only four had been found in 2009.

No doubt all software contains bugs, if someone is prepared to dig deep enough to find them. Chrome's high number of vulnerabilities may therefore indicate that it's more secure because more bugs have been found and remediated.

Secunia--Morten R Stengaard (200 x 133)
Morten R Stengaard Photo credit: Secunia

On the positive side, Secunia reports that in 2012, 84 percent of vulnerabilities had a patch available on the day they were disclosed, as compared with 72 percent in 2011. Morten R Stengaard, Secunia's Director of Product Management, said: "This means that it is possible to remediate the majority of vulnerabilities. There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them."

In all, Secunia reported a total of 9,776 vulnerabilities in 2,503 vulnerable products from 421 vendors.

Needless to say, it may only take one unpatched vulnerability in one program to compromise a company's security.

The Copenhagen company gets the bulk of its data from its free Personal Software Inspector (PSI) program, which is installed on millions of Windows PCs (including mine). These PCs have, on average, 72 programs installed. Secunia says these programs vary "from country to country and region to region" so it's simpler to focus on the 50 most common ones.

PSI makes regular checks to see if a PC contains any programs that do not have the latest patches installed, and makes it easy for users to patch them. This is important since not all vendors provide scheduled updates, and they may not notify users when patched versions are released.

Secunia also sells a Corporate Software Inspector (CSI) and is currently beta-testing a small business version of its product.


Topics: Security, Windows

Jack Schofield

About Jack Schofield

Jack Schofield spent the 1970s editing photography magazines before becoming editor of an early UK computer magazine, Practical Computing. In 1983, he started writing a weekly computer column for the Guardian, and joined the staff to launch the newspaper's weekly computer supplement in 1985. This section launched the Guardian’s first website and, in 2001, its first real blog. When the printed section was dropped after 25 years and a couple of reincarnations, he felt it was a time for a change....

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Wait a minute

    Google Chrome led the pack and only 1/4 of the total were from Apple, but Apple is one of the usual suspects?

    Also, areall these exploits equally severe? There's a difference between an exploit that crashes the browser, and one that let's you root the system. Chrome may have the most by count, but I would wager they are all pretty benign.
    • About the time to bust the "FOSS/LINUX security" myth

      Being open has nothing to do with being quality or secure as facts show it time after time. If you don't put down serious effort then you won't get the result. Nothing encourages more serious effort than tying a guy's job security with the work he gives out - the proprietary way. Thinking just b/c it's open it'd get everyone's review so it's better is simply wishful thinking.
      • Care to wave your hand a bit more

        Perhaps in the direction of all the proprietary software developers being tossed on the streets because of their poor approach to security. They're more likely to be promoted than shuffled off.
        • re: They're more likely to be promoted than shuffled off.

          An emphatic NO there, I'm afraid, that's not right at all. In fact there is even good evidence of it flying around right now about Microsoft's worldwide layoffs of a substantial number of people, most in marketing and other management positions. MS is not unique in this as it's happening in a lot of other places too.


          • Not buying it

            Any layoffs are due to cheap outsourcing and a bad economy. Nothing to do with security.
          • tom tom tom

            Poor security is often a model used to ensure job security. Poor security provides so many opportunities for system "enhancement" and "improvement" contracts.

            It's hardly ever used as an excuse to fire someone for being the source of poor security in software, rather it's a cause for celebration and bonuses!

            Mind you, my code is always secure, efficient and so wonderful that people have been known to spasm in delight at it. So, I have a somewhat jaundiced view of other people's "work."
        • So you're saying that it's fine that FOSS software has lots of

          security issues because proprietary software has some too?

          I can see why alot of FOSS software developers being tossed on the streets.
          Must be because of their poor approach to security.
          William Farrel
          • Flawed logic as usual

            Do you live in a parallel universe or what...
          • It could be worse

            You could realise that you're not quite up to par.
          • I'm not a software developer, ego.sum, nor need to be.

            We pay others to design our software. All we do is tell them what we want, and what they need to do. One of the things they need to do is to design it securely.

            End of story.
            William Farrel
          • And that explains the layoffs at Micro$oft

            End of story.
      • LBiege: "About the time to bust the "FOSS/LINUX security" myth"

        Neither a proprietary nor open-source development model assures product security. Oracle's Java SE 7 comes to mind in the proprietary camp, having poor security on a number of levels. Whereas the OpenBSD project shows that open-source software, the OpenBSD operating system, can achieve a high level of security on a number of levels:

        The "many eyes" statement from FOSS advocates is hype. OpenBSD's auditing team is comprised of 6 to 12 individuals (see the above link).

        P.S. Microsoft gets applause from me for its commitment to the Secure Development Lifecycle:
        Rabid Howler Monkey
        • Re: Oracle's Java SE 7 comes to mind in the proprietary camp,

          Is programming in Java less secure than programming in C? Tell me what security features C offers, and what Java offers.
    • pretty benign?

      That's a wager you might lose, but OTOH you might be right; in other words, it wasn't worth mentioning either way.

      What IS worth mentioning is that the author did a P-poor job of reporting in any manner that was meaningful about the numbers he was using. I don't consider anything that is covertly place on my machine "benign" in any way; and besides, penetration of any machinde is not a "benign" event; there is no such thing in the circles I run in.

      Actually, it's been so long since anythng has been compromised on either of my machines I can't even guess at how many years ago it was. Some tried, but they never touched my hard disc thanks to my NAT router, reliable anti-vrus/anti-malware detectors/monitors, and an ISP with excellent flters that alert me when a spam/scam has been stopped just in case I want to authorize it within the next 5 days. They keep it in quarantine for 5 days and then delete it; they haven't yet caught a "good mail" I asked to have sent to me so they err on the side of safety, which is OK with me and just how I like it.
      Let's see, that means I use a NAT router gateway with firewall rules and spam rules, plus a relable and up to date AV, one realtme malware detector (not MS) and three separate malware disc scanners. Every one updates itself and tells me how long since the last update so they require only occasonal glances to make sure they're working properly and the only effort expended was the original installation. I have licenses for both machines, many allow up to 3 machine installs as long as it's at this same address, and the others are well respected freebies.
      Those and a bit of "safe hex" (look it up if you don't know what that means) is all it takes. It's also easy, should I decide I want to start using another site I don't know anything about yet, to do reputation/blacklist/blocklist/reliability/WOT ratings.
      That's a lot of words just to say, really, that with nominal effort it's easy to avoid the "bad stuff".
      The ONLY way I've had any problems was my Win 7 machine needed a complete reinstall after the CMOS battery died (quickly) and by the time I noticed had scrambled things so badly the computer couldn't find an OS to use. That was a PITA but it wasn't a virus; it was my own refusal to realize the CMOS coin-cell battery was dying in time to replace it before castraphe struck. We're our own worst enemies sometimes.


    • Wow

      You walked away with the wrong point.

      Here's the point. The source press release, while providing some moderately interesting metrics regarding vulnerabilities, is a pitch for a product. And the core assumption behind the "need" for the product seems to be that IT professionals think Microsoft is the only source for vulnerabilities.

      Think about that last one and how isolated that IT professional must be from all news sources.

      If one were an IT professional (I'm not) I daresay java, pdfs, and Flash are first and foremost in mind as vectors that could be difficult to truncate, and thus, are nightmares. Perhaps iTunes should join those ranks for ones administering Windows shops in which workers can sync their devices or play music at their desktops.

      Assailing the source materials for not applying criteria that improve the rankings for the os vendor for which you have appointed yourself protector, that's so wildly off the beam.
    • RE: Wait a minute

      Not the best write-up. I tried to download the report and, eventually, discovered that Secunia wants your name, job title, email address, phone number and company name. Pfft ...

      Don't want it that bad.
      Rabid Howler Monkey
    • The amount of vulnerabilities does not indicate the impact of those

      baggins_z, for sure I can reply to your question that in fact the severity of the vulnerabilities found in Apple's and Oracle's software has far bigger impact than those found in Chrome.

      While Chrome would allow cross-site scripting attacks, and eventually in most cases access from remote, this could be mitigated with additional controls. However, Apples' and Adobe's, but mostly Oracle's vulnerabilities are far more critical.
  • Can't You Just... whatever the Windows equivalent is of Linux commands like

    apt-get update && apt-get upgrade

    to bring all your installed packages up to date? I mean, what kind of OS makes you do the manual work?
    • The equivalent is running Windows Update

      which unfortunately, supports only Microsoft products. Every application vendor under the sun has built their own updating scheme.
    • apt-get update && apt-get upgrade to bring all your installed packages up

      It's even easier with windows. It's automated. At the most, you might be one of the ones that need to click on Start; Windows Update to initiate it.
      Anything else (3rd party etc.) has to do auto updates or I won't and don't install it. Nothing new on either of my machines (XP and Win 7) without first getting specific permission.