Apple, Microsoft, PHP headline IBM's list of most vulnerable software

Vendors with the most reported security vulnerabilities

(Credit: IBM)

Proprietary vendors, including study author IBM, take a beating in a new report that catalogs software vulnerabilities.

Apple, Microsoft, Sun Microsystems, and IBM each sprinted to finish in the top five for most reported security vulnerabilities in the IBM Internet Security Systems's X-Force 2008 Mid-Year Trend Statistics report (PDF).

Not to be outdone, Joomla, WordPress, Drupal, and Linux also fought bravely to make the top 10. This is an indication of their growing adoption. As Sam Dean notes: no one bothers to hack a lonely system that few use.

However, it may also have much to do with the language in which all but Linux are written. According to the report:

An obvious trend demonstrated by the appearance of these (open-source) vendors on the top 10 list is the increasing prevalence of Web-related vulnerabilities...Another commonality between these three vendors is that they are all written in PHP. If we look back over last year's disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.

Suddenly, fuddy-duddy Java starts looking pretty good--or would, if the proprietary vendors on the list weren't also using Java or .Net. Perhaps there's simply no language that can protect users from determined bad guys.

As for who is finding the vulnerabilities, this is particularly interesting, especially in light of the "given enough eyeballs, all bugs are shallow" theory of open source. According to the report:

Over the past 1 1/2 years, independent researchers have been responsible for approximately 70 percent of all vulnerability disclosures (critical, high, medium, and low) that were not anonymously disclosed. However, research organizations are responsible for finding nearly 80 percent of critical vulnerabilities (those with a CVSS base score of 10).

In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one.

As suggested above, the report finds that attacks are shifting from the operating system to Web applications...but not necessarily Web browsers, which are becoming more secure. Instead, attackers increasingly rely on "automated toolkits, obfuscation, and the prevalence of unpatched browsers and plug-ins" to attack users' systems. Indeed, plug-ins represent 78 percent of public security exploits affecting browsers.

What to do? Well, there's always the possibility of not using any of the companies or projects on the top 10 list, but that would leave you with a pretty lame technology existence. A little dose of intelligence online would probably go furthest in protecting users from attacks.

[jrepenning]

> Does this inure to open source's benefit or render the "more eyeballs" theory shallow? I'm not sure.

Sounds like a great case of "both and."

[The_Decider]

"Perhaps there's simply no language that can protect users from determined bad guys."

Perhaps? You obviously don't know anything about programming or you wouldn't have put perhaps in front of that very obvious and well known fact.

The more eyeballs theory only has merit if the owners of those eyeballs have a solid understanding of security. A well known, but somehow hidden fact is that most programmers have no real understanding of security.

I suggest that you read The 19 Deadly Sins of Software Security. It is a short book and easy for programmers with no security background to understand and isn't too technical that people who aren't programmers could follow it.

The number of reported vulnerabilities is a misleading metric used to mislead the ignorant. Some vulnerabilities are theoretical that could never be exploited. Some can get exploited in a thousand different ways. Also the security policies of the underlying system(be it VM or OS) also have an effect on how exploitable vulnerabilities are. This is why OSX has no exploits in the wild and why Windows gets raped on a daily basis and usually without needing user intervention.

[Pete Bardo]

I must be ignorant. Who would have guessed that Apple would top this list? OSX may have no "exploits in the wild" that you (or I) know of. I wouldn't expect that too last long. Sooner or later the bad guys will grow tired of attacking MS and feel up to the challenge of Apple.

[The_Decider]

You are assuming that a lot of effort to exploit OSX hasn't been happening. That is patently false. There are a lot of resources for exploiting OSX available and lots of people have tried. They have succeeded in lab environments with varying degrees of realism. It hasn't happened in the wild.

It is not like OSX is a new OS. It has been around for nearly a decade which is an eternity in this field.

Crackers, especially script kiddies go after the low hanging fruit. Nothing is lower or easier then exploiting a windows box in the wild.

[fedecarg]

It's great to see PHP next to the 2 biggest software companies in the world. It's definitely the most popular language on the Web.

Joomla, Wordpress and Drupal: Open source at it's finest.

[maboite]

How can you compare Apple And Joomla ?
How can you compare Os and simple web apps ?

[fedecarg]

> Another commonality between these three vendors is that they are all written in PHP

This is a great indicator of PHP's increasing popularity.

[mysqlrocks]

"In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one."

Not so much. I'm assuming the "critical security problems" this article talks about are in _shipped_ software. While the eyeballs theory certainly applies to shipped software as well, it also applies to software as it is being developed and before it ships. I'm sure many security vulnerabilities are eliminated in free/open source software _before_ it ships due to the eyeballs theory. In other words: 1) developer checks code into version control 2) other developers review this code 3) potential security problems are found 4) potential security problems are fixed 5) software ships. Obviously proprietary software can have code reviews before shipping as well but the point is that _anyone_ can choose to review free/open source software before it ships. But, your article is only talking about those vulnerabilities that are found _after_ shipping, not the vulnerabilities that were found and never shipped. I'm sure proprietary software vendors will never report these vulnerabilities so they can't even be compared to their free/open source counterparts.