• On TechRepublic: Why VISTA HATERS will love Windows 7
July 31, 2008 3:07 PM PDT

Apple, Microsoft, PHP headline IBM's list of most vulnerable software

by Matt Asay

Vendors with the most reported security vulnerabilities

(Credit: IBM)

Proprietary vendors, including study author IBM, take a beating in a new report that catalogs software vulnerabilities.

Apple, Microsoft, Sun Microsystems, and IBM each sprinted to finish in the top five for most reported security vulnerabilities in the IBM Internet Security Systems's X-Force 2008 Mid-Year Trend Statistics report (PDF).

Not to be outdone, Joomla, WordPress, Drupal, and Linux also fought bravely to make the top 10. This is an indication of their growing adoption. As Sam Dean notes: no one bothers to hack a lonely system that few use.

However, it may also have much to do with the language in which all but Linux are written. According to the report:

An obvious trend demonstrated by the appearance of these (open-source) vendors on the top 10 list is the increasing prevalence of Web-related vulnerabilities...Another commonality between these three vendors is that they are all written in PHP. If we look back over last year's disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

Suddenly, fuddy-duddy Java starts looking pretty good--or would, if the proprietary vendors on the list weren't also using Java or .Net. Perhaps there's simply no language that can protect users from determined bad guys.

As for who is finding the vulnerabilities, this is particularly interesting, especially in light of the "given enough eyeballs, all bugs are shallow" theory of open source. According to the report:

Over the past 1 1/2 years, independent researchers have been responsible for approximately 70 percent of all vulnerability disclosures (critical, high, medium, and low) that were not anonymously disclosed. However, research organizations are responsible for finding nearly 80 percent of critical vulnerabilities (those with a CVSS base score of 10).

In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one.

As suggested above, the report finds that attacks are shifting from the operating system to Web applications...but not necessarily Web browsers, which are becoming more secure. Instead, attackers increasingly rely on "automated toolkits, obfuscation, and the prevalence of unpatched browsers and plug-ins" to attack users' systems. Indeed, plug-ins represent 78 percent of public security exploits affecting browsers.

What to do? Well, there's always the possibility of not using any of the companies or projects on the top 10 list, but that would leave you with a pretty lame technology existence. A little dose of intelligence online would probably go furthest in protecting users from attacks.

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to The Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.
Recent posts from The Open Road
What soccer team would your company be?
Open-source licensing: Your mileage may vary
Open source to shape cloud computing, but not dominate it
Off-topic: Why can't I have this job?
Legalized drugs, now open source. Those crazy Dutch!
Will 'good enough' virtualization topple VMware?
Linux community codes around Microsoft's FAT patents
As Mozilla 'upgrades the Web,' Microsoft must upgrade its pace
Add a Comment (Log in or register) (8 Comments)
  • prev
  • 1
  • next
by jrepenning July 31, 2008 5:22 PM PDT
> Does this inure to open source's benefit or render the "more eyeballs" theory shallow? I'm not sure.

Sounds like a great case of "both and."
Reply to this comment
by The_Decider August 1, 2008 8:58 AM PDT
"Perhaps there's simply no language that can protect users from determined bad guys."

Perhaps? You obviously don't know anything about programming or you wouldn't have put perhaps in front of that very obvious and well known fact.

The more eyeballs theory only has merit if the owners of those eyeballs have a solid understanding of security. A well known, but somehow hidden fact is that most programmers have no real understanding of security.

I suggest that you read The 19 Deadly Sins of Software Security. It is a short book and easy for programmers with no security background to understand and isn't too technical that people who aren't programmers could follow it.

The number of reported vulnerabilities is a misleading metric used to mislead the ignorant. Some vulnerabilities are theoretical that could never be exploited. Some can get exploited in a thousand different ways. Also the security policies of the underlying system(be it VM or OS) also have an effect on how exploitable vulnerabilities are. This is why OSX has no exploits in the wild and why Windows gets raped on a daily basis and usually without needing user intervention.
Reply to this comment
by Pete Bardo August 1, 2008 10:04 AM PDT
I must be ignorant. Who would have guessed that Apple would top this list? OSX may have no "exploits in the wild" that you (or I) know of. I wouldn't expect that too last long. Sooner or later the bad guys will grow tired of attacking MS and feel up to the challenge of Apple.
Reply to this comment
by The_Decider August 1, 2008 10:57 AM PDT
You are assuming that a lot of effort to exploit OSX hasn't been happening. That is patently false. There are a lot of resources for exploiting OSX available and lots of people have tried. They have succeeded in lab environments with varying degrees of realism. It hasn't happened in the wild.

It is not like OSX is a new OS. It has been around for nearly a decade which is an eternity in this field.

Crackers, especially script kiddies go after the low hanging fruit. Nothing is lower or easier then exploiting a windows box in the wild.
by fedecarg August 26, 2008 2:09 AM PDT
It's great to see PHP next to the 2 biggest software companies in the world. It's definitely the most popular language on the Web.

Joomla, Wordpress and Drupal: Open source at it's finest.
Reply to this comment
by maboite August 26, 2008 2:24 AM PDT
How can you compare Apple And Joomla ?
How can you compare Os and simple web apps ?
Reply to this comment
by fedecarg August 26, 2008 2:28 AM PDT
> Another commonality between these three vendors is that they are all written in PHP

This is a great indicator of PHP's increasing popularity.
Reply to this comment
by mysqlrocks August 26, 2008 7:47 AM PDT
"In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one."

Not so much. I'm assuming the "critical security problems" this article talks about are in _shipped_ software. While the eyeballs theory certainly applies to shipped software as well, it also applies to software as it is being developed and before it ships. I'm sure many security vulnerabilities are eliminated in free/open source software _before_ it ships due to the eyeballs theory. In other words: 1) developer checks code into version control 2) other developers review this code 3) potential security problems are found 4) potential security problems are fixed 5) software ships. Obviously proprietary software can have code reviews before shipping as well but the point is that _anyone_ can choose to review free/open source software before it ships. But, your article is only talking about those vulnerabilities that are found _after_ shipping, not the vulnerabilities that were found and never shipped. I'm sure proprietary software vendors will never report these vulnerabilities so they can't even be compared to their free/open source counterparts.
Reply to this comment
(8 Comments)
  • prev
  • 1
  • next
advertisement

Making sense of Windows 7 upgrades

faq The basics and the fine print on Microsoft's options for those eyeing the next operating system from Redmond.
• Full Windows 7 coverage

Road Trip 2009: Big Sky Country

CNET News reporter Daniel Terdiman takes his car full of gadgets to the Rockies and the Great Plains in search of tech, science, nature, and more.
• America's Fortress: Cheyenne Mountain

About The Open Road

Matt Asay brings a decade of in-the-trenches open-source business and legal experience to the Open Road, with an emphasis on emerging open-source business strategies and opportunities. Matt is general manager of the Americas division and vice president of business development at Alfresco, a company that develops open-source software for content management. He is a member of the CNET Blog Network and is not an employee of CNET. Disclosure.

Add this feed to your online news reader

The Open Road topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right