dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1567

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Windows XP and Firefox take 25-year lead in security flaws

In a look at the number of vulnerabilities recorded over 25 years in software products and open source, a researcher at Sourcefire has determined that Microsoft Windows XP and the Mozilla Firefox browser stand out as the two with the largest number of high-severity vulnerabilities.

Windows XP has had 453 while Firefox has had 433 vulnerabilities rated high and critical based on the Common Vulnerabilities and Exposures (CVE) database and the second source for the statistics, the National Vulnerability Database from the National Institute of Standards and Technology (NIST). High-severity vulnerabilities mean attackers can potentially fully compromise the user's machine. The total number of vulnerabilities for all the products and open-source software that has accumulated over 25 years has hit 50,000, according to Sourcefire, which is discussing the results of its research at the RSA Conference this week.

»www.pcworld.com/article/ ··· aws.html
Expand your moderator at work
BlitzenZeus
Burnt Out Cynic
Premium Member
join:2000-01-13

BlitzenZeus

Premium Member

Re: Windows XP and Firefox take 25-year lead in security flaws

A remember when Firefox aka Phoenix aka Firebird first came out. It was so nice not being forced to disable scripting, and plugins on all websites by default due to open vulnerabilities in IE which were very slow to be patched, and were exposed on systems with IE at default settings like most people. At least Mozilla doesn't tend to hide behind closed source to sweep bugs under the rug like I know Microsoft does, sometimes under nda until it's apparent to the world they sat on this egg the entire time.

Microsoft has been a popular target for decades now, most popular consumer os, and run servers also.

Just to point it out Apple is a close second on that list.
quote:
According to the report's analysis, the "ten worst offenders" from top down were: Microsoft, Apple, Oracle, IBM, Sun (acquired by Oracle), Cisco, Mozilla, Linux, HP, and Adobe. In terms of limiting the rankings to just high-severity vulnerabilities
Notably the iphone/etc are the most critically attacked smartphones, and yet the users even want to "jailbreak" their phone away from Apple's control, however it's still no less than exploiting ios to gain root to run unsigned code.
MrFixit1
join:1999-11-26
Madison, WI

MrFixit1 to Name Game

Member

to Name Game
Man I just " love " articles like that
How about linking to the original data or report rather than just saying " this is what they said ,but you as a reader are too stupid to understand the data so I will tell you what to think ".
Minor rant over , here is a link to the teaser for the RSA seminar on the subject . gives a lot more info .
»ae.rsaconference.com/US1 ··· -F41.pdf

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game

Premium Member

Not worth the time to play with that PDF 2.2Meg of slides

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

4 recommendations

Blackbird to Name Game

Premium Member

to Name Game
And in other news:
quote:
United States takes 25-year lead in traffic deaths -- In a look at the number of traffic deaths recorded over 25 years in automobiles and trucks, researchers have determined that the United States stands out as the nation with the largest number of traffic deaths.
Which, of course, means almost nothing. What might really matter, especially for comparison or evaluation purposes, would be deaths per driving-hour, deaths per vehicle-owned, deaths per mile-driven, deaths per population-unit, deaths per mile-of-highways, etc, etc. A simple cumulative statistic that isn't normalized with respect to something else has almost no information value... it's just a free-floating piece of numerical flotsam.

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 recommendation

Name Game

Premium Member

Not almost nothing..it is free-floating fiction nothing. What really matters is

»health.usnews.com/health ··· es-study

The pdf contained a flock of pie charts used by intelligent people who give stage presentations, while most of the audience tweets or sleeps. (that is why the dim the lights). I tend to sit in the back row and make my own charts grounded in facts.

Blackbird
Built for Speed
Premium Member
join:2005-01-14
Fort Wayne, IN

Blackbird

Premium Member

said by Name Game:

Not almost nothing..it is free-floating fiction nothing. ...

Actually, I'll stick with "almost nothing". While it has no meaning in its pretended arena, it does mean the authors don't understand the nature of meaningful statistical evidence, are disingenuous, have an underlying agenda, or all three.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

Ahhh, lies, damn lies and statistics

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game to Blackbird

Premium Member

to Blackbird
Nevertheless the author of that article was not alone in reviewing the actual information and after 10AM tomorrow you too can see more than just the slide presentation.

»www.darkreading.com/vuln ··· ies.html

Younan counted just the high-severity vulnerabilities, those with a Common Vulnerability Scoring System (CVSS) score of 7 or higher. Windows XP tops that list. "Windows Vista is at the number five position, even though Microsoft put a lot of effort into securing Windows Vista," he said.

»www.cso.com.au/article/4 ··· nux_bad/

25 Years of Vulnerabilities: 1988-2012
»info.sourcefire.com/25ye ··· ter.html

Yves Younan is a Senior Research Engineer at the Vulnerability Research Team at Sourcefire.
»www.fort-knox.org/

»ae.rsaconference.com/US1 ··· _ID=3323
San Francisco

BR-F41 - 25 Years of Vulnerabilities: 1988-2012

Speaker(s):
Yves Younan - Senior Research Engineer in the Vulnerability Research Team (VRT), Sourcefire, Inc.

To be released exclusively at RSA Conference: Yves Younan will discuss his analysis of the last 25 years of vulnerability data available through CVE and the NVD from NIST, taking a historical look at vulnerabilities over the years. Some of the results were surprising. Find out the most important type of vulnerability and what percentage total vulnerabilities this represents, as well as which products truly had the most vulnerabilities during this time period, which vendor has had to address the most vulnerabilities and which browser has had more critical vulnerabilities than any other.

»ae.rsaconference.com/US1 ··· ss=popup
Expand your moderator at work

Link Logger
MVM
join:2001-03-29
Calgary, AB

Link Logger to Name Game

MVM

to Name Game

Re: Windows XP and Firefox take 25-year lead in security flaws

Hmmmmmm one is a full featured OS and the other is just an application, doesn't speak well for Mozilla.
NoHereNoMo
join:2012-12-06

1 recommendation

NoHereNoMo to Name Game

Member

to Name Game
Kudos to the few companies that actually announce their security flaws as opposed to those trying to hide from the facts of life in the digital age.
Expand your moderator at work
dave
Premium Member
join:2000-05-04
not in ohio

1 recommendation

dave to Name Game

Premium Member

to Name Game

Re: Windows XP and Firefox take 25-year lead in security flaws

Some researcher needs to do a study on the inflationary use of the term "researcher" over the last 25 years.
HELLFIRE
MVM
join:2009-11-25

HELLFIRE to Name Game

MVM

to Name Game
Here's a REAL comparison... what WinXP and Mozilla have had over the last 25years... versus the bug patching-fest
Java has been for the last 6 months. Who'd win? [/scarcasm]

+1 to StuartMW and dave's comments

Regards

therube
join:2004-11-11
Randallstown, MD

2 recommendations

therube to Name Game

Member

to Name Game
> Windows XP has had 453 while Firefox has had 433 vulnerabilities
> rated high and critical

To which I say, big deal.

Was XP ever designed to be "secure"?
It took them until when to even have a firewall, enabled, by default?

And Firefox, so what!
When was the last time someone was infected when running a Mozilla browser. Sure it happens. But few & far from memory are the reports I can remember. And when made aware, bugs are patched. Plugins (or extensions) you can't really blame on Mozilla (or at least less so).

> remember when

Oh in the Mozilla tree, something called "mozilla" aka "seamonkey" that pre-dated all those. (And then there was something called "Netscape" too .)

> "ten worst offenders" from top down were: Microsoft, Apple, Oracle,
> IBM, Sun (acquired by Oracle), Cisco, Mozilla, Linux, HP, and Adobe

Wonder if anyone could tell me the 10 most popular web facing apps? Like is it any wonder they're the ten worst.

> Windows Vista is at the number five position, even though Microsoft
> put a lot of effort into securing Windows Vista

Cough, cough.
And Win7 is virtually untouchable.
(Remembering a FF exploit, I thought that was a tough one for me. Man, Win7, being exploited, I'll have to resort to the archives to find anything on that.)

> doesn't speak well for Mozilla

Again, doesn't bother me one bit.
Glad to see that they actually do something for the better in getting things fixed. (And then they do plenty for the worse, many will say, & I'll kind of agree there too.)
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

1 recommendation

Kearnstd to Name Game

Premium Member

to Name Game
The main thing with Firefox is that it is not an integrated application. A big issue with IE and why so many system wide exploits happened with it is a lot to do with how tight it was with the windows OS itself.
OZO
Premium Member
join:2003-01-17

OZO

Premium Member

I agree with that point. IE should not be "part of Windows OS", as they made it. Lot of problems come with it.

StuartMW
Premium Member
join:2000-08-06

3 edits

1 recommendation

StuartMW to Kearnstd

Premium Member

to Kearnstd
said by Kearnstd:

A big issue with IE and why so many system wide exploits happened with it is a lot to do with how tight it was with the windows OS itself.

As I recall that started with Active Desktop on WinNT 4.0 and Win95.

I never liked the tight coupling between IE and the OS but presumably Microsoft saw it is a marketing advantage.

One thing I think many miss with Microsoft is that the target, for the most part, of their products is not IT professionals or other computer literate users. They aim their stuff at the "average user". That said one can argue that Apple has done a much better job of that.