Reckless IT pros are missing security holes in non-Microsoft software
Summary: Secunia reports that only 14 percent of the vulnerabilities found in the 50 most popular programs last year were in Microsoft products while 86 percent were in third-party software. It reckons IT professionals should do more to patch them … and it sells products to help
Secunia's latest Vulnerability Review 2013 (PDF) reports that 86 percent of the vulnerabilities found in the 50 most popular programs in 2012 were in non-Microsoft programs.
"Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs," says Secunia. "Ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary."
Not only are third-party software suppliers responsible for the vast majority of security vulnerabilities, they are responsible for an increasing share. The 14 percent of vulnerabilities found in Microsoft programs and Windows operating systems in 2012 is a dramatic improvement on the 22 percent found in 2011. The number was as high as 43 percent in 2007.
The Top 50 most popular programs comprised 29 Microsoft programs and 21 third-party programs, giving Microsoft a 58 percent share of the software under consideration. Microsoft's 14 percent share of the vulnerabilities was made up of 5.5 percent found in operating systems and 8.5 percent found in other Microsoft programs.
Of the 21 third-party programs, 1,137 vulnerabilities were found in 18 products from eight vendors.
The bulk of the vulnerabilities were found in web browsers and software from the usual suspects: Apple and Adobe. Google Chrome led the way with 291 vulnerabilities, followed by Mozilla Firefox (257), Apple iTunes (243), Adobe Flash (67), Oracle Java JRE SE (66), Adobe Air (56), Adobe Reader (43), and Apple QuickTime (29).
Windows 7 had the most vulnerabilities among the Microsoft products (50), followed by Internet Explorer (41) and the .Net Framework (14).
All this warns against relying too much on numbers. Google Chrome is sandboxed to provide a high level of security, and it's updated very frequently. It's much safer than its score might suggest. By contrast, Oracle Java JRE SE has been a security disaster to the point where the most rational approach is to uninstall it, regardless of its lower score.
Secunia points out that Windows 7 had a high number of vulnerabilities last year, as "a result of the work of one security researcher, who decided to dig into one specific component, win32k.sys. By doing so, he discovered 22 vulnerabilities in 2010 and 59 vulnerabilities in 2011." Only four had been found in 2009.
No doubt all software contains bugs, if someone is prepared to dig deep enough to find them. Chrome's high number of vulnerabilities may therefore indicate that it's more secure because more bugs have been found and remediated.
On the positive side, Secunia reports that in 2012, 84 percent of vulnerabilities had a patch available on the day they were disclosed, as compared with 72 percent in 2011. Morten R Stengaard, Secunia's Director of Product Management, said: "This means that it is possible to remediate the majority of vulnerabilities. There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them."
In all, Secunia reported a total of 9,776 vulnerabilities in 2,503 vulnerable products from 421 vendors.
Needless to say, it may only take one unpatched vulnerability in one program to compromise a company's security.
The Copenhagen company gets the bulk of its data from its free Personal Software Inspector (PSI) program, which is installed on millions of Windows PCs (including mine). These PCs have, on average, 72 programs installed. Secunia says these programs vary "from country to country and region to region" so it's simpler to focus on the 50 most common ones.
PSI makes regular checks to see if a PC contains any programs that do not have the latest patches installed, and makes it easy for users to patch them. This is important since not all vendors provide scheduled updates, and they may not notify users when patched versions are released.
Secunia also sells a Corporate Software Inspector (CSI) and is currently beta-testing a small business version of its product.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Wait a minute
Also, areall these exploits equally severe? There's a difference between an exploit that crashes the browser, and one that let's you root the system. Chrome may have the most by count, but I would wager they are all pretty benign.
About the time to bust the "FOSS/LINUX security" myth
Care to wave your hand a bit more
re: They're more likely to be promoted than shuffled off.
HTH,
Twayne`
Not buying it
tom tom tom
It's hardly ever used as an excuse to fire someone for being the source of poor security in software, rather it's a cause for celebration and bonuses!
Mind you, my code is always secure, efficient and so wonderful that people have been known to spasm in delight at it. So, I have a somewhat jaundiced view of other people's "work."
So you're saying that it's fine that FOSS software has lots of
I can see why alot of FOSS software developers being tossed on the streets.
Must be because of their poor approach to security.
Flawed logic as usual
It could be worse
I'm not a software developer, ego.sum, nor need to be.
End of story.
And that explains the layoffs at Micro$oft
LBiege: "About the time to bust the "FOSS/LINUX security" myth"
http://openbsd.org/security.html#52
The "many eyes" statement from FOSS advocates is hype. OpenBSD's auditing team is comprised of 6 to 12 individuals (see the above link).
P.S. Microsoft gets applause from me for its commitment to the Secure Development Lifecycle:
http://www.microsoft.com/security/sdl/default.aspx
Re: Oracle's Java SE 7 comes to mind in the proprietary camp,
pretty benign?
What IS worth mentioning is that the author did a P-poor job of reporting in any manner that was meaningful about the numbers he was using. I don't consider anything that is covertly place on my machine "benign" in any way; and besides, penetration of any machinde is not a "benign" event; there is no such thing in the circles I run in.
Actually, it's been so long since anythng has been compromised on either of my machines I can't even guess at how many years ago it was. Some tried, but they never touched my hard disc thanks to my NAT router, reliable anti-vrus/anti-malware detectors/monitors, and an ISP with excellent flters that alert me when a spam/scam has been stopped just in case I want to authorize it within the next 5 days. They keep it in quarantine for 5 days and then delete it; they haven't yet caught a "good mail" I asked to have sent to me so they err on the side of safety, which is OK with me and just how I like it.
Let's see, that means I use a NAT router gateway with firewall rules and spam rules, plus a relable and up to date AV, one realtme malware detector (not MS) and three separate malware disc scanners. Every one updates itself and tells me how long since the last update so they require only occasonal glances to make sure they're working properly and the only effort expended was the original installation. I have licenses for both machines, many allow up to 3 machine installs as long as it's at this same address, and the others are well respected freebies.
Those and a bit of "safe hex" (look it up if you don't know what that means) is all it takes. It's also easy, should I decide I want to start using another site I don't know anything about yet, to do reputation/blacklist/blocklist/reliability/WOT ratings.
That's a lot of words just to say, really, that with nominal effort it's easy to avoid the "bad stuff".
The ONLY way I've had any problems was my Win 7 machine needed a complete reinstall after the CMOS battery died (quickly) and by the time I noticed had scrambled things so badly the computer couldn't find an OS to use. That was a PITA but it wasn't a virus; it was my own refusal to realize the CMOS coin-cell battery was dying in time to replace it before castraphe struck. We're our own worst enemies sometimes.
HTH,
Twayne`
Wow
Here's the point. The source press release, while providing some moderately interesting metrics regarding vulnerabilities, is a pitch for a product. And the core assumption behind the "need" for the product seems to be that IT professionals think Microsoft is the only source for vulnerabilities.
Think about that last one and how isolated that IT professional must be from all news sources.
If one were an IT professional (I'm not) I daresay java, pdfs, and Flash are first and foremost in mind as vectors that could be difficult to truncate, and thus, are nightmares. Perhaps iTunes should join those ranks for ones administering Windows shops in which workers can sync their devices or play music at their desktops.
Assailing the source materials for not applying criteria that improve the rankings for the os vendor for which you have appointed yourself protector, that's so wildly off the beam.
RE: Wait a minute
Don't want it that bad.
The amount of vulnerabilities does not indicate the impact of those
While Chrome would allow cross-site scripting attacks, and eventually in most cases access from remote, this could be mitigated with additional controls. However, Apples' and Adobe's, but mostly Oracle's vulnerabilities are far more critical.
Can't You Just...
apt-get update && apt-get upgrade
to bring all your installed packages up to date? I mean, what kind of OS makes you do the manual work?
The equivalent is running Windows Update
apt-get update && apt-get upgrade to bring all your installed packages up
Anything else (3rd party etc.) has to do auto updates or I won't and don't install it. Nothing new on either of my machines (XP and Win 7) without first getting specific permission.