dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1411
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Windows XP and Firefox take 25-year lead in security flaws

In a look at the number of vulnerabilities recorded over 25 years in software products and open source, a researcher at Sourcefire has determined that Microsoft Windows XP and the Mozilla Firefox browser stand out as the two with the largest number of high-severity vulnerabilities.

Windows XP has had 453 while Firefox has had 433 vulnerabilities rated high and critical based on the Common Vulnerabilities and Exposures (CVE) database and the second source for the statistics, the National Vulnerability Database from the National Institute of Standards and Technology (NIST). High-severity vulnerabilities mean attackers can potentially fully compromise the user's machine. The total number of vulnerabilities for all the products and open-source software that has accumulated over 25 years has hit 50,000, according to Sourcefire, which is discussing the results of its research at the RSA Conference this week.

»www.pcworld.com/article/2029328/···aws.html
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
Expand your moderator at work

BlitzenZeus
Burnt Out Cynic
Premium
join:2000-01-13
kudos:3

Re: Windows XP and Firefox take 25-year lead in security flaws

A remember when Firefox aka Phoenix aka Firebird first came out. It was so nice not being forced to disable scripting, and plugins on all websites by default due to open vulnerabilities in IE which were very slow to be patched, and were exposed on systems with IE at default settings like most people. At least Mozilla doesn't tend to hide behind closed source to sweep bugs under the rug like I know Microsoft does, sometimes under nda until it's apparent to the world they sat on this egg the entire time.

Microsoft has been a popular target for decades now, most popular consumer os, and run servers also.

Just to point it out Apple is a close second on that list.

quote:
According to the report's analysis, the "ten worst offenders" from top down were: Microsoft, Apple, Oracle, IBM, Sun (acquired by Oracle), Cisco, Mozilla, Linux, HP, and Adobe. In terms of limiting the rankings to just high-severity vulnerabilities
Notably the iphone/etc are the most critically attacked smartphones, and yet the users even want to "jailbreak" their phone away from Apple's control, however it's still no less than exploiting ios to gain root to run unsigned code.
--
I distrust those people who know so well what god wants them to do because I notice it always coincides with their own desires- Susan B. Anthony
Yesterday we obeyed kings, and bent our necks before emperors. But today we kneel only to the truth- Kahlil G.

MrFixit1

join:1999-11-26
Madison, WI
reply to Name Game
Man I just " love " articles like that
How about linking to the original data or report rather than just saying " this is what they said ,but you as a reader are too stupid to understand the data so I will tell you what to think ".
Minor rant over , here is a link to the teaser for the RSA seminar on the subject . gives a lot more info .
»ae.rsaconference.com/US13/connec···-F41.pdf


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
Not worth the time to play with that PDF 2.2Meg of slides


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

4 recommendations

reply to Name Game
And in other news:
quote:
United States takes 25-year lead in traffic deaths -- In a look at the number of traffic deaths recorded over 25 years in automobiles and trucks, researchers have determined that the United States stands out as the nation with the largest number of traffic deaths.
Which, of course, means almost nothing. What might really matter, especially for comparison or evaluation purposes, would be deaths per driving-hour, deaths per vehicle-owned, deaths per mile-driven, deaths per population-unit, deaths per mile-of-highways, etc, etc. A simple cumulative statistic that isn't normalized with respect to something else has almost no information value... it's just a free-floating piece of numerical flotsam.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

Not almost nothing..it is free-floating fiction nothing. What really matters is

»health.usnews.com/health-news/ne···es-study

The pdf contained a flock of pie charts used by intelligent people who give stage presentations, while most of the audience tweets or sleeps. (that is why the dim the lights). I tend to sit in the back row and make my own charts grounded in facts.
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
said by Name Game:

Not almost nothing..it is free-floating fiction nothing. ...

Actually, I'll stick with "almost nothing". While it has no meaning in its pretended arena, it does mean the authors don't understand the nature of meaningful statistical evidence, are disingenuous, have an underlying agenda, or all three.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
Ahhh, lies, damn lies and statistics


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to Blackbird
Nevertheless the author of that article was not alone in reviewing the actual information and after 10AM tomorrow you too can see more than just the slide presentation.

»www.darkreading.com/vulnerabilit···ies.html

Younan counted just the high-severity vulnerabilities, those with a Common Vulnerability Scoring System (CVSS) score of 7 or higher. Windows XP tops that list. "Windows Vista is at the number five position, even though Microsoft put a lot of effort into securing Windows Vista," he said.

»www.cso.com.au/article/454645/vu···nux_bad/

25 Years of Vulnerabilities: 1988-2012
»info.sourcefire.com/25yearsof_se···ter.html

Yves Younan is a Senior Research Engineer at the Vulnerability Research Team at Sourcefire.
»www.fort-knox.org/

»ae.rsaconference.com/US13/connec···_ID=3323
San Francisco

BR-F41 - 25 Years of Vulnerabilities: 1988-2012

Speaker(s):
Yves Younan - Senior Research Engineer in the Vulnerability Research Team (VRT), Sourcefire, Inc.

To be released exclusively at RSA Conference: Yves Younan will discuss his analysis of the last 25 years of vulnerability data available through CVE and the NVD from NIST, taking a historical look at vulnerabilities over the years. Some of the results were surprising. Find out the most important type of vulnerability and what percentage total vulnerabilities this represents, as well as which products truly had the most vulnerabilities during this time period, which vendor has had to address the most vulnerabilities and which browser has had more critical vulnerabilities than any other.

»ae.rsaconference.com/US13/connec···ss=popup
--
Gladiator Security Forum
»www.gladiator-antivirus.com/
Expand your moderator at work


Link Logger
Premium,MVM
join:2001-03-29
Calgary, AB
kudos:3
reply to Name Game

Re: Windows XP and Firefox take 25-year lead in security flaws

Hmmmmmm one is a full featured OS and the other is just an application, doesn't speak well for Mozilla.


NotTheMama
What Would Earl Do?

join:2012-12-06

1 recommendation

reply to Name Game
Kudos to the few companies that actually announce their security flaws as opposed to those trying to hide from the facts of life in the digital age.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."
Expand your moderator at work

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8

1 recommendation

reply to Name Game

Re: Windows XP and Firefox take 25-year lead in security flaws

Some researcher needs to do a study on the inflationary use of the term "researcher" over the last 25 years.

HELLFIRE
Premium
join:2009-11-25
kudos:18
reply to Name Game
Here's a REAL comparison... what WinXP and Mozilla have had over the last 25years... versus the bug patching-fest
Java has been for the last 6 months. Who'd win? [/scarcasm]

+1 to StuartMW and dave's comments

Regards


therube

join:2004-11-11
Randallstown, MD
Reviews:
·Comcast
·Verizon Online DSL

2 recommendations

reply to Name Game
> Windows XP has had 453 while Firefox has had 433 vulnerabilities
> rated high and critical

To which I say, big deal.

Was XP ever designed to be "secure"?
It took them until when to even have a firewall, enabled, by default?

And Firefox, so what!
When was the last time someone was infected when running a Mozilla browser. Sure it happens. But few & far from memory are the reports I can remember. And when made aware, bugs are patched. Plugins (or extensions) you can't really blame on Mozilla (or at least less so).

> remember when

Oh in the Mozilla tree, something called "mozilla" aka "seamonkey" that pre-dated all those. (And then there was something called "Netscape" too .)

> "ten worst offenders" from top down were: Microsoft, Apple, Oracle,
> IBM, Sun (acquired by Oracle), Cisco, Mozilla, Linux, HP, and Adobe

Wonder if anyone could tell me the 10 most popular web facing apps? Like is it any wonder they're the ten worst.

> Windows Vista is at the number five position, even though Microsoft
> put a lot of effort into securing Windows Vista

Cough, cough.
And Win7 is virtually untouchable.
(Remembering a FF exploit, I thought that was a tough one for me. Man, Win7, being exploited, I'll have to resort to the archives to find anything on that.)

> doesn't speak well for Mozilla

Again, doesn't bother me one bit.
Glad to see that they actually do something for the better in getting things fixed. (And then they do plenty for the worse, many will say, & I'll kind of agree there too.)

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

1 recommendation

reply to Name Game
The main thing with Firefox is that it is not an integrated application. A big issue with IE and why so many system wide exploits happened with it is a lot to do with how tight it was with the windows OS itself.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports

OZO
Premium
join:2003-01-17
kudos:2
I agree with that point. IE should not be "part of Windows OS", as they made it. Lot of problems come with it.
--
Keep it simple, it'll become complex by itself...


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

3 edits

1 recommendation

reply to Kearnstd
said by Kearnstd:

A big issue with IE and why so many system wide exploits happened with it is a lot to do with how tight it was with the windows OS itself.

As I recall that started with Active Desktop on WinNT 4.0 and Win95.

I never liked the tight coupling between IE and the OS but presumably Microsoft saw it is a marketing advantage.

One thing I think many miss with Microsoft is that the target, for the most part, of their products is not IT professionals or other computer literate users. They aim their stuff at the "average user". That said one can argue that Apple has done a much better job of that.
--
Don't feed trolls--it only makes them grow!