Apple, Microsoft, PHP headline IBM's list of most vulnerable software
Vendors with the most reported security vulnerabilities
(Credit: IBM)Proprietary vendors, including study author IBM, take a beating in a new report that catalogs software vulnerabilities.
Apple, Microsoft, Sun Microsystems, and IBM each sprinted to finish in the top five for most reported security vulnerabilities in the IBM Internet Security Systems's X-Force 2008 Mid-Year Trend Statistics report (PDF).
Not to be outdone, Joomla, WordPress, Drupal, and Linux also fought bravely to make the top 10. This is an indication of their growing adoption. As Sam Dean notes: no one bothers to hack a lonely system that few use.
However, it may also have much to do with the language in which all but Linux are written. According to the report:
An obvious trend demonstrated by the appearance of these (open-source) vendors on the top 10 list is the increasing prevalence of Web-related vulnerabilities...Another commonality between these three vendors is that they are all written in PHP. If we look back over last year's disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.
Suddenly, fuddy-duddy Java starts looking pretty good--or would, if the proprietary vendors on the list weren't also using Java or .Net. Perhaps there's simply no language that can protect users from determined bad guys.
As for who is finding the vulnerabilities, this is particularly interesting, especially in light of the "given enough eyeballs, all bugs are shallow" theory of open source. According to the report:
Over the past 1 1/2 years, independent researchers have been responsible for approximately 70 percent of all vulnerability disclosures (critical, high, medium, and low) that were not anonymously disclosed. However, research organizations are responsible for finding nearly 80 percent of critical vulnerabilities (those with a CVSS base score of 10).
In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one.
As suggested above, the report finds that attacks are shifting from the operating system to Web applications...but not necessarily Web browsers, which are becoming more secure. Instead, attackers increasingly rely on "automated toolkits, obfuscation, and the prevalence of unpatched browsers and plug-ins" to attack users' systems. Indeed, plug-ins represent 78 percent of public security exploits affecting browsers.
What to do? Well, there's always the possibility of not using any of the companies or projects on the top 10 list, but that would leave you with a pretty lame technology existence. A little dose of intelligence online would probably go furthest in protecting users from attacks.
- Topics:
-
Industry news,
-
Microsoft,
-
Research,
-
Apple
- Bookmark:
- Digg
- Del.icio.us
Sounds like a great case of "both and."
Perhaps? You obviously don't know anything about programming or you wouldn't have put perhaps in front of that very obvious and well known fact.
The more eyeballs theory only has merit if the owners of those eyeballs have a solid understanding of security. A well known, but somehow hidden fact is that most programmers have no real understanding of security.
I suggest that you read The 19 Deadly Sins of Software Security. It is a short book and easy for programmers with no security background to understand and isn't too technical that people who aren't programmers could follow it.
The number of reported vulnerabilities is a misleading metric used to mislead the ignorant. Some vulnerabilities are theoretical that could never be exploited. Some can get exploited in a thousand different ways. Also the security policies of the underlying system(be it VM or OS) also have an effect on how exploitable vulnerabilities are. This is why OSX has no exploits in the wild and why Windows gets raped on a daily basis and usually without needing user intervention.
Joomla, Wordpress and Drupal: Open source at it's finest.
How can you compare Os and simple web apps ?
This is a great indicator of PHP's increasing popularity.
Not so much. I'm assuming the "critical security problems" this article talks about are in _shipped_ software. While the eyeballs theory certainly applies to shipped software as well, it also applies to software as it is being developed and before it ships. I'm sure many security vulnerabilities are eliminated in free/open source software _before_ it ships due to the eyeballs theory. In other words: 1) developer checks code into version control 2) other developers review this code 3) potential security problems are found 4) potential security problems are fixed 5) software ships. Obviously proprietary software can have code reviews before shipping as well but the point is that _anyone_ can choose to review free/open source software before it ships. But, your article is only talking about those vulnerabilities that are found _after_ shipping, not the vulnerabilities that were found and never shipped. I'm sure proprietary software vendors will never report these vulnerabilities so they can't even be compared to their free/open source counterparts.