Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe software more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.
Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.
However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.
Meanwhile, Adobe took the second-place spot from Microsoft this year. The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft software dropped from 44 to 41, according to Qualys. Internet Explorer, Windows Media Player and Microsoft Office together had 30 vulnerabilities.
A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.
"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."
Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.
That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.
As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.
Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.
Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application whitelisting technology.
The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.
Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.
The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.
Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.
Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.
Microsoft released fixes on Tuesday for critical vulnerabilities in Internet Explorer, including one for which exploit code has been released.
Adobe, meanwhile, was scheduled to release a critical update affecting Flash Player and Adobe AIR, following news of exploit code being released for a vulnerability in Illustrator CS3 and CS4 on Windows and Mac last week.
Microsoft's regular Patch Tuesday release includes six security bulletins addressing 12 vulnerabilities in IE, Windows, Windows Server, and Office.
However, priority should be given to the cumulative IE bulletin, which affects all major Windows versions including Windows 7, IE 6, IE 7, and IE 8. The bulletin fixes five holes that could allow an attacker to remotely take control over a system in drive-by download attacks. The fix also addresses a problem with ActiveX control built with Microsoft Active Template Library (ATL) headers that could allow remote code execution.
"Vulnerabilities in IE are generally pretty serious because all you have to do is go to a Web page or get referred to one" that has malicious code on it, said Jason Avery, manager of the Digital Vaccine service at TippingPoint. Three of the IE holes were disclosed through TippingPoint's Zero Day Initiative program over the summer, he said.
Another critical bulletin plugs holes in Windows' Internet Authentication Service and a third critical bulletin fixes a vulnerability in Microsoft Office Project. The three bulletins rated "important" fix holes in Windows involving the Local Security Authority Subsystem Service and Active Directory Federation Services, as well as a hole in WordPad and Office Text Converters.
The bulletins affect: Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, Office 2003, Project 2000, Project 2002, Office Project 2003, Works 8.5, and Office Converter Pack.
This chart shows the priority in which Microsoft suggests deploying the latest patches. The cumulative IE bulletin is the most important.
(Credit: Microsoft)Meanwhile, one bulletin rated "important" is being re-released to offer additional protections in the Domain Name Service for Windows 2000 Service Pack 4 systems. It addresses vulnerabilities in the DNS client and DNS server that could allow a remote attacker to redirect network traffic intended for systems on the Internet to the attacker's own systems.
Microsoft also released two new security advisories related to Integrated Windows Authentication and Indeo Codec. The Indeo Codec update, which applies to Windows XP and Server 2003, blocks the codec from being used in IE and Windows Media Player in the Internet Zone, Microsoft said in a Technet post. And the Integrated Windows Authentication advisory includes several nonsecurity updates that implement Extended Protection for Authentication to protect authentication credentials on the Windows platform.
In addition, Microsoft updated its Malicious Software Removal Tool to detect and remove the Win32/Hamweq worm.
"What's missing from today's patch is the fix for an outstanding denial of service attack that affects Microsoft's newest operating systems; Windows 7 and 2008 Server," said Andrew Storms, director of security operations at nCircle.
Microsoft said on Thursday that it will offer six updates for 12 vulnerabilities next week including a critical hole in Internet Explorer that affects Windows 7 and other current versions of the operating system for which exploit code has been released.
Late last month, Microsoft said it was investigating an IE vulnerability after someone released proof-of-concept code affecting IE 6 and IE 7 that could be used to take control of computers.
Microsoft described the problem in an advisory issued November 23: "The vulnerability exists as an invalid pointer reference of Internet Explorer. It is possible under certain conditions for a CSS/Style object to be accessed after the object is deleted. In a specially-crafted attack, Internet Explorer attempting to access a freed object can lead to running attacker-supplied code."
Of the six updates Microsoft will release on Patch Tuesday, three of them are critical, according to a Microsoft security bulletin advance notification.
Software affected includes Windows 2000, Windows XP, Vista, Windows 7, Server 2003, Server 2008, Office XP, and Office 2003.
Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."
"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."
Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.
The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.
"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.
Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.
"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."
The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."
Microsoft has begun a campaign to actively urge users of its 8-year-old Internet Explorer 6 browser to upgrade.
After launching IE 8 in March, Micosoft has concurred with critics that IE 6 is outdated. Many people have dropped the older browser, but the remaining users are often the tough cases--those who don't have a choice because of corporate computing policy or who aren't tech-savvy enough to realize there's a reason to move on.
This eBay 'Web slice'--basically a live bookmark in Internet Explorer 8--is part of Microsoft's effort to get people to upgrade from IE 6.
(Credit: Screenshot by Stephen Shankland/CNET)It's this latter population Microsoft is targeting with a campaign that runs through June 2010 that touts its own IE 8 as a better alternative. The campaign's first visible elements are a video aimed at online holiday shoppers and a Web slice to promote daily deals at eBay. Web slices are basically live bookmarks that can show miniature Web pages in the browser.
"What we're doing with the outreach is help users understand how to protect themselves against social engineering threats that exist and to help people understand how Internet Explorer 8 puts people in control of their own privacy online," said Ryan Servatius, senior product manager for Internet Explorer. Security was one of the big problems with IE 6, and Microsoft now boasts that security features in IE 8 block 2 million malware sites a day.
According to Net Applications' statistics, Internet Explorer 6 is still the most widely used browser, with 23.3 percent share of usage in October, followed by IE 7 at 18.2 percent and IE 8 at 18.1 percent. The newer browsers are gaining on IE 6, but so are rivals including Mozilla's Firefox, Apple's Safari, and Google's Chrome.
Web developers often gripe about having to support IE 6, which doesn't support many modern features for more sophisticated Web sites and even applications. Microsoft acknowledges that it's holding back development of the Internet, too.
"The best thing a user can do to advance the Web is to help move people off IE 6," Servatius said.
Of course, many will upgrade to IE 8 by buying Windows 7. IE 6 was the browser that shipped with Windows XP, which remains entrenched, but there are signs Windows 7 is a more compelling successor than Windows Vista. That could help the corporate customers move away from IE 6, Servatius said.
"As enterprises migrate from whatever operating system they're using today to Windows 7, that's going to help deprecate IE 6," he said. "What we're doing is working both with consumers worldwide and IT professionals to help them understand what the benefits of a modern browser are."
Microsoft said on Monday that it is looking into reports that its latest security updates are causing some serious problems for certain users.
The problem has been dubbed the "black screen of death" because those affected are left with a black desktop and little else on their screen.
.JPG){kind=logo}
"Microsoft is investigating reports that its latest release of security updates is resulting in system issues for some customers," the software maker said in a statement. "Once we complete our investigation, we will provide detailed guidance on how to prevent or address these issues. "
The issue was noted by British security firm Prevx on its blog on Friday, with that company also offering a suggested fix for the problem.
"The symptoms are very distinctive and troublesome," Prevx said. "After logging on there is no desktop, task bar, system tray or sidebar. Instead you are left with a totally black screen and a single My Computer Explorer window."
Prevx suggested that the black screen issue can occur on a wide range of Windows machines from Windows NT through Windows 7. In its blog, Prevx said there appear to be many causes of the black-screen issue, not all of which are related to the security update.
"In researching this issue we have identified at least 10 different scenarios which will trigger the same black screen conditions," Prevx said. "These appear to have been around for years now." As for the latest security update, Prevx said changes to the way registry keys are handled appears to be the reason it is causing black screens.
I've asked Microsoft what it recommends users should do for now and will post its answer here.
Microsoft released its latest security updates on November 10, issuing six bulletins addressing 15 flaws.
Update, 3:35 p.m. PT: A Microsoft representative said that the company continues to recommend that customers "test and deploy" the November security updates.
"Based on our investigation so far we can say that we're not seeing this as an issue from our support organization," the representative said. "The issues as described also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles."
Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.
Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.
The exploit code was published to the BugTraq mailing list on Friday with no explanation.
"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.
"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future," Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.
Anyone believed to have been affected can visit Microsoft's Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft's PC Safety Customer Service and Support number at 1-866-727-2338.
In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.
Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.
The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.
"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."
Microsoft is not aware of attacks to exploit the hole at this time, he said.
In an advisory, Microsoft criticized the way Gaffié handled the discovery.
"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."
The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.
Microsoft said on Wednesday it is looking into a report of a vulnerability in Windows 7 and Server 2008 Release 2 that could be used by an attacker to remotely crash the computer.
The company is investigating claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," the Microsoft spokesperson said, adding that the company was unaware of any attacks trying to exploit the hole.
The bug triggers an infinite loop on the Server Message Block (SMB) protocol used for sharing files in Windows, researcher Laurent Gaffié wrote in a posting on the Full-Disclosure mailing list and on a blog.
"Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS [NetBIOS Naming Service] tricks," Gaffié wrote.
Gaffié also posted proof-of-concept code for the "Windows 7, Server 2008R2 Remote Kernel Crash."
On Tuesday, Microsoft issued six patches to fix 15 vulnerabilities, including a critical hole in the Windows kernel, as part of November's Patch Tuesday.
Microsoft on Tuesday issued six security bulletins fixing 15 vulnerabilities, including a critical patch for holes in the Windows kernel and other Windows and Office components that could allow an attacker to take control of a computer.
The critical bulletin affecting the Kernel-Mode Drivers was publicly disclosed and could be used to create a Web page with malware designed to exploit the hole on systems that visit the page, Microsoft said in a blog posting.
"MS09-065, a bug in the Windows kernel, is this month's most serious issue," said Andrew Storms, director of security operations at nCircle. "The vulnerability allows for remote code execution, and the attack code can be embedded inside MS Office files or be hosted on websites. Simply browsing an infected website will compromise unsuspecting users -- not great for all the holiday shoppers looking to get a jump on their shopping. The novelty value of this bug is likely to attract many researchers. A lot of people will try to be the first to publicly post exploit code."
The two other critical bulletins fix holes in Web Services on Devices API and in License Logging Server. Two bulletins ranked "important" fix holes that pose risk of remote code execution if a user opened a maliciously crafted Excel or Word file.
"It is interesting that a new service that helps with the 'user experience' can cause so much harm," said Jason Miller, data and security team leader at Shavlik Technologies. "The WSDAPI service allows users to easily find devices such as printers and cameras on their network. This vulnerability is also not publicly known at this time."
Software affected by the patches includes Windows 2000, XP, Server 2003, Vista, Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, Office 2004 for Mac, and Office 2008 for Mac, according to the bulletin.
Meanwhile, the Microsoft Malware Protection Center team added two rogue antivirus families to the Malicious Software Removal Tool -- Win32/FakeVimes, which calls itself "Windows System Defender" and "Windows Enterprise Suite," and Win32/PrivacyCenter, which calls itself "Safety Center."
