Firefox, Adobe top buggiest-software list

Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.

Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.

Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.

A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.

"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."

Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.

That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.

As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.

Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application whitelisting technology.

The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.

Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.

The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.

Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.

Updated December 21: to clarify in paragraphs one and four that Adobe Reader specifically is ranked second in vulnerabilities, followed by Microsoft Office, and that Internet Explorer alone had 30 vulnerabilities.

[n3td3v]

As I said previously http://news.cnet.com/8618-27080_3-10415438.html?communityId=2134&targetCommunityId=2134&blogId=245&messageId=8799872&tag=mncol;tback , third party plugins are the big target for 2010 for hackers as web browsers become more secure, hackers are increasingly looking at the plugins associated with web browsers to find vulnerabilities and to exploit. Including Adobe.

Adobe should be worried, they are becoming the new Microsoft in terms of being targeted by hackers, and will become as big a target for hackers as Microsoft previously was between 1999 and 2009.

The next century will slacken off for Microsoft as security researcher activity draws attention to the big third party plugin providers as the next-big-thing.

Why is Fire Fox targeted? It supports plugins. Simple.

This is all about plugins there isn't a coincidence that Fire Fox and Adobe is being mentioned in the same sentence.

Plugins is the big word in security circles for 2010 and beyond and everything and everyone associated with them.

[santuccie]

As far as attack vectors go, you may very well be right. But Microsoft and its competitors (including Apple, since MS leapfrogged them in security) aren't just focusing on vectors anymore; they're focusing on attack surfaces as well. Of course Windows was the least secure of all operating systems prior to Vista, as XP was released before there was any such thing as drive-by downloads. Back then, Microsoft's objective was compatibility. Now that criminal hackers have discovered how to circumvent the SPI firewall by planting code on trafficked Web pages, and realized that they could save immeasurable quantities of time and reach even more machines by attacking servers rather than individual end computers; Microsoft had to address the problem with XP's successor, sacrificing a bit of compatibility for the sake of security. The sacrifice is well worth it, however, for those who can update or find alternatives to the applications that no longer work.

The threat landscape has since reverted to social engineering attacks (for Vista and W7 wsers), although some criminals are now taking advantage of popups to trick more people than they ever could bundling Trojans into app installers and media. They say there's a sucker born every minute, and a lot of people can be suckered into installing a "codec" to view a streaming video, or downloading a supposed "antivirus" product when "Windows" throws up an alert and tells them that their machine is infected. But times are a whole lot better for average Windows users than they were between 2004 and 2006, as MS has stepped up to the plate and more users are wising up to the bad guys' tricks. Microsoft will continue to patch their own vulnerabilities, while Mozilla and Adobe continue to patch theirs. Fortunately, because of the layers upon layers of mitigations in the latest operating systems (and especially the 64-bit versions), there's more to attacking a PC these days than simply finding a vulnerability. You still have to find a way to reliably exploit it without user intervention, and criminals have failed to do so thus far. Cheers!

[krosafcheg]

@santuccie

"XP was released before there was any such thing as drive-by downloads."

Not really true, there have been drive-by downloads ever since ActiveX (amongst other browser extensions and plugins) has been around. I vividly recall cleaning spyware off of Win2K and even NT4 machines back in the early 90's where users were granted Local Admin privileges.

[santuccie]

Hi krosafcheg,

Thank you for this information. I think the mistake I made may have been related to the fact that a majority of such exploits were confined to dodgy Web sites back then, such as porn sites. More recently, hackers have exploited legitimate sites to save time building their own, all the while enjoying the sites' established traffic flow. It used to be simple enough to tell users to observe "safe surfing habits." This isn't the case anymore, at least not on XP.

[ppcp2006]

test

[Lerianis4]

Every software is going to have holes in it... that is the bottom line here. At least Mozilla is honest about saying "Yes, our software has holes... we are trying to fix them!" unlike Microsoft (one of the things I dislike about Microsoft to be blunt).

[T_Hoff]

Microsoft provides regular security updates ("Patch Tuesday"), as well as hotfixes when warranted. How do you construe that as Microsoft taking the position that their software doesn't have any holes?

[n3td3v]

@T_Hoff

Sure there is a Patch Tuesday every month although the vulnerabilities patched can be months or even years old. It is my conspiracy theory that vulnerabilities aren't patched straight away because they are given to law enforcement to use.

The only time a newly reported vulnerability is patched straight away in an out-of-band patch is when national cyber security is at risk.

You'll rarely see any Patch Tuesday patching newly found bugs, you've got to ask yourself why the delay, is it just because of a queue and priority reasons or is Microsoft giving a window of opportunity for law enforcement to gather evidence against criminals?

[sasquatch3]

MS admits that their software has holes

they don't fix them as timely as I would like, but I'm sure they do work on patches and release them when they are finished (and not delay and cooperate with the government)

[monkeyfun14]

@n3td3v

Honestly? How do you patch a hole that you don't know exists? If they all knew the holes existed in the products they wouldn't ship the god damn things in the first place.

[n3td3v]

@sasquatch3

"not delay and cooperate with the government"

Probably not, but in this day and age nothing would suprise me.

I mean I think using the words "national security" then the government can request Microsoft give them vulnerabilities and delay the patching, all can be done in secret and Microsoft or anyone else gagged from talking about the agreement for "national security reasons", even though the folks computers they break into with the vulnerabilities Microsoft by law has to give them are not terrorists or a national security item, they are mostly suspected criminals or known criminals.

It's another way of how laws designed for national security reasons are now being used and abused by law enforcement to investigate suspected criminals NOT terrorists.

[AOTSfan1]

@ m3tf3v - Microsoft is a bit slow due to having a very diverse set of compatible hardware to test their patches against, and an even wider set of software to try not to break with said patch. As for law enforcement, a search warrant and physical access to the machine might be a bit easier.

[Teako]

Comnspiracy theorist have a problem when they make assertions without evidence.

[jjesusfreak01]

If it weren't for the fact that it works better than alternatives with Chrome, I would have dumped Adobe a year ago. Their latest version is bloated to the moon.

[siouxmoux]

102 vulnerabilities that were found in Firefox this year, up from 90 last Year. Wow Firefox Browser been around that long??

[dhavleak]

Where have you been? Firefox is perhaps over 6 years now (counting Phoenix -- which is what FF was called before it was called FF).

[n3td3v]

@dhavleak

It was called Fire Bird as well before it was Fire Fox, hehehe

[linuxroadwarrior]

Heh... I'd bet 2/3 of it were plugins. Wouldn't surprise me.,...

[verdyp]

Note that Google Chrome 4.0 will allow custom plugins. This will open the door to many of them, including popular ones that have poor security, but that people like because of their "cute" look and feel.
This will be the paradise for a lot new custom toolbars and lots of problems.
We have at least as many problems with custom plugins in ALL browsers.
Instead of blaming browsers, it's high time to criticize the poor quality of most of these plugins (custom toolbars, and specific helpers for various popular websites are the worst ! but there are also the custom tools promoted by free products and that violate your privacy: 'Yahoo!' is probably the worst in this game of who will jeopardize your PC and monitor everything you do on your PC, as it does not even evaluates and revokes the usage rights from many third-parties that are customizing the Yahoo toolbar for their own promotion and to gain some pennies from ads or for modifying the content of results displayed in your favorite search engine, just to force you do adopt very unsecure programs that will just steal your money)

[Yelonde]

Indeed, adobe products are getting more bloated all the time.

For example, Macromedia Flash 8 was extremely efficient on old hardware, requiring only 128 MB of ram. CS3, released two years later (with marginal improvements) demanded half a gig of ram. Why? As far as I am concerned, the only differences between flash CS3 and Flash 8 were actionscript 3, but that was it.

Software bloat, FTL.

[sasquatch3]

I bet every consumer computer out there has Adobe Flash. Its the new Windows, find a flash hole and you can use it on most computers in the world.

[rocan1979]

Adobe has gone downhill over the years, they need to stop buying software and iron out the stuff they have. I am waiting for them to merge with Autodesk .then we are all doomed. :)

I agree, if my browser or machine hangs or crashes more often than not it's due to some Adobe product. Nothing is more likely to kill my browser than trying to view a PDF file.

[Phillerr]

Mac OS X is full of holes, iPhone is not spared at all. Where are those numbers?

[sciontcya]

In your imagination, Windows troll.

[Vegaman_Dan]

I don't think the story really was including operating systems, only applications.

[Renegade Knight]

With the small market share of OSX, apparently nobody has bothered to figure it out. The holes are there though.

[Joe M]

Full of holes? Name some. Windows fanbois have been saying that for years, and never cite examples.

[Motyoj]

Yesh, what are the holes of which you speak? Please enlighten us.

[lvcsslacker]

To be fair, there are a few holes in OSX. But they aren't focused on. The iPhone on the other hand... that's got a few more in there. It has to deal with the saturation of a product in a market to see who or what is going to be manipulated.

[rsrupert1972]

I'm really surprised that there aren't more viruses, exploits, etc out in the wild for macs. Since mac takes the stance that people cannot think for themselves, and takes a lot of your choices away from you that other os's give you, it's perfect for 'point and click' drive bys!!!

[djames42]

"Since mac takes the stance that people cannot think for themselves, and takes a lot of your choices away from you that other os's give you, it's perfect for 'point and click' drive bys!!!"

Smugly spoken by someone who so clearly has no idea what they are talking about. Please define how choosing a more elegant and reliable system has reduced my choices? Can you change your shell? Can you automate and script tasks out of the box? Do you have access to thousands of open source programs developed for Unix? Can you develop your own tools out of the box? Can you become productive out of the box?

Mac [sic] (I believe you mean *Apple*) takes my choices away. Puhlese. Microsoft's entire mode of operation is to lock you into their ecosystem. ActiveX (requires IIS and IE). WMA, Silverlight... They were even threatened enough by Java that they modified their JVM in such a way that Java code written in the Windows environment would not run in other environments thereby canceling the "cross-platform" design of Java.

I'm sorry - but which of us has more choice? That one is just as ignorant as the belief that "there's no software available for the Mac." Other than games (an area in which I fully concede), I've never found a lack of applications. What I *have* found is a wealth of software that is, generally, far more well designed than what I see for Windows...

[viper396]

@Joe M. An Apple fanboi going around calling others fanbois is probable the pinnacle of hypocrisy. You, like many other Apple users, live under an illusion of security thru obscurity.
With the power of the internet at your fingertips you could have easily looked up these example yourself but, like many Apple users, you pretend problems don't exist.


http://support.apple.com/kb/HT1897
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1167872,00.html#
http://www.macnn.com/articles/06/04/20/mac.os.x.security.holes/
http://www.reghardware.co.uk/2006/11/29/apple_patches_osx_security/
http://www.computerworld.com.au/article/127808/mac_os_x_riddled_security_holes/
http://www.accessmylibrary.com/coms2/summary_0286-24886364_ITM
http://blog.washingtonpost.com/securityfix/2008/05/apple_patches_40_security_hole_1.html?nav=rss_blog

...there are plenty more. If you took time away from these stupid Mac vs Windows debates to look them up...

[Hernys]

Uh. Microsoft makes about six hundred products, Adobe makes thirty and Firefox makes one. And this is a fair comparison how?
On a per-product basis Microsoft is probably #600, while Adobe is probably a few notches down form second place.
Firefox has no excuse.

[jr4412]

um, no.

Mozilla, makers of FireFox, offer other products too.

[xcrunnersoccer]

And most of the exploits are browser plugins ... easy as heck to crack.

[viper396]

@Hernys, "Microsoft makes about six hundred products"


600 products? Care to name them? If you have to exagerate details just to make an argument then you don't even have one. Everything you say is just worthless FUD at that point.

The list was about software products that people commonly use that are commonly exploited or buggy. The total number of products that Microsoft or Adobe make is irrelevent to the topic. Whether Adobe made dozens of products or just two, Adobe reader would still been at the top of this list.

[magicmaster]

That's the strength mozilla firefox has: Transparency and open-source. You are always welcomed to contribute by reporting bugs of fixing reported bugs.

proprietary software doesn't. You don't know what bugs have been reported, whether they have fixed it and your own published fix may be subject to DMCA takedown notice. I even doubt that bugs are intentionally left unfixed so they can extort customers to upgrade it to get the bugs fixed.

[monkeyfun14]

Oh im sure.....

When has that been done? When has a bug been reported and not been fixed in one version but fixed in the others?

[Marshall_Am]

Clearly, they didn't review ESRI's software. They make high-profile software for GIS analysis, used by governments and big business around the world, and it's so buggy you have to be an expert to know where all the bugs are, so you can actually use it and expect to get something done.

[rranger1]

@Marshall_Am, I couldn't agree more. ArcView is absolute junk which, because it's just about the only game in town for what it does, ESRI is able to charge absolutely extortive amounts for on a per-license basis. But, given that it's pretty esoteric, I doubt many hackers would focus on it.

[dexter_birdbrain]

I actually prefer that Firefox does not automatically update itself and asks me what to do instead. I have to pay for every MB that I download. If I were to use Google Chrome I would lose quite a good amount of money considering the number of builds that are released and downloaded as updates automatically!

The article was very unbiased but Firefox can do without <b> this </b> kind of publicity.
Gave up on Adobe Acrobat long time ago and moved to Foxit which is extremely lightweight in comparison.

[dimensionless99]

Just curious here... what kind of ISP makes you pay per MB? Most common services have a download cap, sure, but per MB? Do you live in some remote place and use satellite? I pay 30$ a month and get unlimited bandwidth.

[xcrunnersoccer]

yeah what ISP? and CNET doesnt accept HTML in their comments forms so you cant format the text ... no bolding

[viper396]

Paying for every MB? I smell FUD conveniently made up just so dexter_birdbrain can have something to debate about. Would someone paying per MB really be wasting his bandwidth posting comments to CNET?

[Daniel_1515]

"The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian."

Opera? Seriously? Opera's one of the most secure web browsers. Version 10 onwards has an automatic updater, too.

[rsrupert1972]

secure because it has so little market share, it's not profitable/noticable enough for someone to write an exploit for it

[alan_06]

More features you add, more vulnerable to bugs. FireFox is bloated now.

[xaris777]

I have been a huge fan of firefox until recently.In the last month, I have given up on it completerly. And, yest I am ambarrased to admit it but I am now using IE 8 exclusively. Over the last year Firefox has become increasingly unstable on all the computers I use whether running xp, vista or Windows 7. I have found that often after FF updated itself it would get buggy until I downloaded and reinstalled the it. On one of our xp pro machines when you typed a search string into the the google search box and hit enter, FF just dissapeares.

[linuxroadwarrior]

... you got to be kidding me. I use FireFox as my ONLY browser. In my tests, it beats IE, and is barely slower that Chrome. FireFox has been rock solid on all the computers I use, which include a vista and xp.

[AOTSfan1]

Don't be embarassed, IE8 is not a bad browser but it's not a good browser either.

[stockyjoe]

IE8 is actually pretty secure, but if you really want the better alternative to Firefox, I'd choose chrome. Man is it fast and responsive.

[AbbydonKrafts]

Read it carefully, everyone. I'm seeing many comments attacking Firefox for being a one-product thing and Microsoft having "hundreds". Read it again and again, including the article.

1. Firefox is completely open source. Every single bug, be it a security risk, quirk or what have you, is listed in the ticket queue. Each ticket has an explanation. Why so many details? Open source contributors can jump in, see it all, and submit fixes. Likewise, since the source is out there, everyone is welcome to run through it and find flaws -- and then create tickets for them. So, it just keeps going.

Combine that will the user-demand for extensions/add-ons, and the capability for exploits grows. Chrome was more secure because it didn't allow third-party modification. However, even it is now allowing extensions (albeit without toolbars). Any application that allows third-party software add-ons will have related exploits. So, those will have to be continuously addressed.

2. Microsoft is closed-source. Many times their patches are the result of 3rd party finds. Microsoft will not announce any vulnerabilities ahead of time in order to prevent attacks/exploits ahead of the patch. When they do release the patch, the details are usually vague and just say something along the lines of "resolves a vulnerability that would allow a third-party to gain control of your computer". The online details don't say much more, either. I know I've had hundreds of patches come through with that description.

3. Adobe likes to create bloatware, so all of their stuff is bound to have flaws.
- The Reader has always taken too long to load even for a plain-text PDF. Unfortunately, I need it for company use. At home, it's FoxIt Reader all the way. It's a very lightweight alternative for just viewing and printing PDF files.
- Flash has gotten bad, too. It's as if Adobe's purchase of Macromedia resulted in less attention being paid to Flash. There have been bad memory leaks in it for years, but they won't fix it.
- I could say more about other bought, absorbed, etc, products, but you get the idea.

So basically.. open-source is likely to have "more" vulnerabilities simply due to the availability of the source for review and transparency on the ticket queue, whereas closed-source vulnerabilities require either the developer or a third-party to make anyone aware.

[Carlo Mason]

It is unfortunate that there is no stated qualification for this review. I take the point that someone in an earlier post said about it being about applications, and not operating systems, but there was clearly no talk of applications running on Mac OS X. I happen to run OS X, and while I love it and will never go back to Microsoft, I have to admit that I have heard of, or read about, bugs and holes and security vulnerabilities, which have had to be patched.

Now, some of these are on Adobe products, for example, but there are others, such as Apple Mail, and even iPhoto, that have had security breaches/vulnerability at some stage of the game. I would love to have had a more comprehensive view of the market out there.

I will see what transpires based on the reading of all of the posts to this article.

All in all though, a fairly solid piece.

[Kasar99]

Flash is the 0-day exploit engine of choice these days.
It's garbage, but it's easy to make shiny things in, so it's still popular.

[Joe M]

Are these statistics constrained to the a single platform (Windows)? Does Firefox fare better on Linux than on Windows? Does Word fare better on OS X? Might be some holes in the article as well.

[Phx01]

I wonder what the amount of (published) bugs has to do with the quality of the software. The way I understand is that it is the severity which counts and whether a fix has been issued to plug it and how long it took after it had been found.

If those people who in their free time have nothing better to do than count those bugs, create statistics from it and publish it afterwards would also count the bug fixes and subtract them from the total of bugs, then we have a more realistic number in terms of bugs in a software (existing ones anyway).

And if one wants to make statistics of the duration of the bugs (to determine how long a software has been exposed from the finding to the fix), they should consider adding the time next to the severity and not bluntly count bugs.

Don't believe any statistics you haven't falsified yourself. ;-)

[verdyp]

Yes, the effective duration of open bugs (including the time where it was not publicly disclosed officially) would be much more fair : instead of summing the number of bugs, classify them by severity type, and then sum the number of days for each bug before resolution (an effective resolution is not just the publication of a possible workaround, but the effective delivery of an update that can be automated or that will be part of the default installation of the program newly installed).

And in fact I still don't understand why you can still install new programs that are not automatically updated with the known fixes, even when you have downloaded or bought these softwares directly from its original maker.
and why can we buy new PCs tat will not first update their preinstalled OS before use? It can take many hours before a preinstalled Windows gets fully updated, but it takes minutes for attackers to compromize it !

New PCs should also come with an already activated security suite (even if its licence will be temporary and provided only for evaluation): it should work for a reasonnable time allowing people to effectively choose the security suite we will really want (or that we already have bought and can install before uninstalling default one). I think that too many PCs are compromized in their early use, when the system is not completely fixed and up-to-date: this time window is excessive.

And it's high time that Windows comes preinstalled with a immediately working VirtualPC environment for evaluating new softwares. In fact all OSes should now become virtualized allowing people to take stable system snapshots and creating new ones for evaluating new softwares in the safe "sandbox" of the virtual machine; if this machine bugs, just drop it and the evaluation it contains. You'll have lost nothing.

Consider also other virtualization softwares : VirtualPC is not the only option, and VirtualBox (from Sun) is probably much better. We really hope that virtualization softwares will have their performance increased (for now they still lack a decent and fast integration for graphics and sounds, notably for trying games and media players).

Consider integrating also in OS'es things like what "Plan9" proposes since long: each software (including drivers) is working in its own environment and works only with the ressources that it really needs, none of them are allowed full access to the machine and all what it contains, there's no risk for them to corrupt unrelated areas of the system or of existing files: everything is virtualized, and because of that the number of interactions between independant pieces of softwares working as "blackboxes" is strictly limited to the list of tested interfaces they propose. All of them can be updated independantly: we really need more modular OSes, also because it will simplify a lot their deployment, and the reduction of dependancies will also allow them to run with much higher performances, with less uncovered tests.

[Lordcron]

I really don't like the fact that FireFox gets this kind of press for being honest. When other companies hide what bugs they find for the most part, Mozilla reports them all. It's really the best browser on the market right now. A browser being a fraction of a second faster doesn't make it better.

If I could show people the different configurations I have from the Addons. Every time I show people my Firefox they're amazed! You simply don't get this kind of customization from any other browser.