Most vulnerable operating systems and applications
An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD). The NVD provides a comprehensive list of software security vulnerabilities. In this article, I look at some of the trends and key findings for 2014 based on the NVD’s database.
Some of the questions asked are:
- What are the latest vulnerability trends? Are we seeing an increase or a decrease in the number of vulnerabilities?
- What percentage of these vulnerabilities are rated as critical? (e.g. high security impact – like allowing remote code execution – and thus easy to exploit)
- In which areas do we see the most vulnerabilities? Are operating systems, third-party applications or network devices such as routers, switches, access points or printers most at risk?
- Which operating systems and applications are listed with most vulnerabilities? This data is important because the products which are on top get the most frequent security updates. To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched.
7,038 new security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.
24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year.
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.
Top operating systems by vulnerabilities reported in 2014
It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple with OS X and iOS is at the top, followed by Linux kernel.
2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.
Top applications by vulnerabilities reported in 2014
The applications listed here are pretty much the same as in 2013. Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.
To keep systems secure, it is critical that they are fully patched. IT admins should focus on (patch them first):
- Operating systems (Windows, Linux, OS X)
- Web browsers
- Java
- Adobe free products (Flash Player, Reader, Shockwave Player, AIR).
UPDATE
The response to my post on the top vulnerabilities in 2014 has been amazing and I would like thank everyone who commented on the article. What certainly stood out in the comments and feedback is the fact that some of the statistics I reported on were not clear enough. Many comments queried why vulnerabilities were grouped in the way I did and why there’s a single entry for Apple OS X and Linux but seven entries for each Windows version.In the following update, I’m going to try and clarify and answer most of our readers’ queries.
The operating systems are different and it is hard to group them in a way that everybody agrees with. For example, unlike Windows, the Linux Kernel can be upgraded independently of the rest of the operating system; therefore it is hard to link Linux Kernel vulnerabilities to a specific Linux distribution or Linux distribution version. This is why Linux vulnerabilities are grouped under Linux Kernel as a separate product and then there are the specific vulnerabilities for each Linux distribution. The reason why only Linux Kernel and Apple OS X are listed at the top is because the number of vulnerabilities that specifically apply to other Linux distributions (like Red Hat, Debian, etc.) is lower than the number of vulnerabilities that apply to the operating systems already listed.
For example, here are some statistics for several Linux distributions that did not make it to the top and which are not included under Linux Kernel entry:
Ubuntu
39 total vulnerabilities 7 high severity 27 medium severity 5 low severity
Red Hat Enterprise
27 total vulnerabilities 6 high severity 17 medium severity 4 low severity
openSUSE
20 total vulnerabilities 9 high severity 9 medium severity 4 low severity
Fedora
15 total vulnerabilities 3 high severity 9 medium severity 3 low severity
If we had to group the different Windows versions under one entry the statistics would look like this:
Windows
68 total vulnerabilities 47 high severity20 medium severity 1 low severity
As you can see a lot of Windows vulnerabilities apply to multiple Windows versions and because of that there is not a huge difference between the number for the entire Windows operating systems family and the numbers for different Windows versions.
Some readers have also asked where Android fits in. Here are the NVD stats:
Android
6 total vulnerabilities 4 high severity 1 medium severity 1 low severity
It is important to note that Android is based on Linux Kernel too and some of those vulnerabilities apply to Android as well. The malware on Android devices is usually spread via applications installed on the devices rather than via holes in the operating system.
Another question: where is Safari? Are Safari vulnerabilities included in OS X counts? The answer is no. Safari vulnerabilities are counted separately as is the case with the other web browsers. The reason why Safari is not listed is because it did not make it to the top of the list (it does have a large number of vulnerabilities, but only three of them are high severity):
Safari
70 total vulnerabilities 3 high severity 67 medium severity 0 low severity
To conclude, the aim of the article is not to blame anyone – Apple or Linux or Microsoft. The message I am trying to get across is that all software products have vulnerabilities. The frequency of security updates increases with the product’s popularity. At GFI we would like the people to use the information as a guide and to show which areas to pay more attention to when patching their systems. At the end of the day, however, an IT admin’s attention should be on ALL products in his network and not limited to those at the top of the vulnerability list; neither should the assumption be made that those further down the list are safer. Every software product can be exploited at some point. Patching is the answer and that is the key message.
——
Vulnerability and patch management should be priority tasks for every sysadmin. Microsoft’s updates are not enough because third-party applications are just as problematic. If you would like to discover how many vulnerabilities exist in your network or how many patches are missing.
The next item to note is the Windows Store. Like the Ubuntu
Software Center, you can download both free and paid applications to be
installed onto your desktop. Unfortunately for Ubuntu, the Windows Store
looks far more polished than the dated Ubuntu Software Center. That
said, I am not really that pleased about the "tile everything" approach
Windows 10 takes with its newly installed software.
In the end, Microsoft wins hands down with the Windows Store, whereas Ubuntu wins with its overall desktop experience – no tiles, less "color splash" distracting the user. As for office suite offerings, it's a bit of a tie. I prefer the LibreOffice suite and its locally installed applications. However, if Microsoft ever wises up and begins offering its "full" office suite to users, vs. it's stripped down version, this point could also go to Microsoft.
The first issue is that it's going to be a free upgrade for a lot of Windows users. This means the barrier to entry and upgrade is largely removed. Second, it seems this time Microsoft has really buckled down on listening to what their users want. Many of the new features have allegedly been due to Windows feedback.
As things stand now, I see the following motivators being Ubuntu's best shot at wooing away folks from Windows going forward.
Privacy – Even if there are concerns about Unity Lenses and data collection, this is easily remedied by using an alternative desktop environment. Windows, by contrast, has a horrid track record in this department.
Security – Despite recent improvements with Windows security, it's still the biggest desktop target on the web with regard to attacks. This won't be changing any time soon. Linux by contrast, has a fantastic desktop security track record.
Hardware support – This is always disputed, no matter how many times I mention it. But the fact is, when you bother to include older peripherals and hardware, Linux still outshines Windows all day long in terms of hardware support. Try running anything from the XP era on your Windows 10 desktop, let me know how good the driver support is. Under Ubuntu, it just works. Window's only advantage is having an edge with smoother graphics drivers.
Does this mean that Ubuntu Linux and other distros are doomed? Nope, especially when you jump out of the Apple/Microsoft echo chamber that is the United States. Linux desktop adoption is exploding all over the world. So while Microsoft continues their hold on the market here in the States, the rest of the world is already moving on.
To further illustrate my point: Refer back to my article on the Secret to Desktop Linux Adoption? As anticipated, the naysayers had ample reasons why techs would not only never participate, but to do so would translate into lost revenue. Besides being completely misinformed, I fear the greater point was missed as well. The article was quite clear in stating Windows AND Linux, not just Linux. To not offer a better-suited solution to someone struggling with Windows is irresponsible at best. It's unfortunate more people don't realize this.
Folks, depending on malware removal as a revenue source is a dated, faltering business model. As Windows 10 rolls out, I think we're going to start seeing greater evidence of this. It's already putting countless local repair shops out of business. The mailing lists I subscribe to are quite clear on this. Mobile, tablets and OS X are changing the industry.
Therefore once you realize your "malware removal" customers are already on their way out, wouldn't it make sense to adapt? Techs offering Ubuntu support as a service is not only profitable (I know of three companies doing well with it), this approach is the ONLY thing that would get the United States to catch up with the rest of the world in terms of desktop Linux adoption.
Ubuntu and other distros are ready for the desktop now. I have people running these environments all day, everyday. As a community, we need to get on the page with this now or accept that Windows has already won. I know where I stand, based on years of personal experience with clients and converts. Where do you stand? Are you part of the solution? Perhaps instead, you hold onto the farce that "Linux is hard" because you're unwilling to become the bridge of support others need to make the switch? What say you? Hit the Comments section to sound off.
In the end, Microsoft wins hands down with the Windows Store, whereas Ubuntu wins with its overall desktop experience – no tiles, less "color splash" distracting the user. As for office suite offerings, it's a bit of a tie. I prefer the LibreOffice suite and its locally installed applications. However, if Microsoft ever wises up and begins offering its "full" office suite to users, vs. it's stripped down version, this point could also go to Microsoft.
Deep concerns and closing thoughts
I'll be honest. From a visual point of view, I'm not a fan of the new Windows layout. While it's far better than previous releases, it's still not for me. Unfortunately, though, my opinion alone isn't going to sway anyone from avoiding this release.The first issue is that it's going to be a free upgrade for a lot of Windows users. This means the barrier to entry and upgrade is largely removed. Second, it seems this time Microsoft has really buckled down on listening to what their users want. Many of the new features have allegedly been due to Windows feedback.
The Holistic Approach to Preventing Zero Day Attacks
Privacy – Even if there are concerns about Unity Lenses and data collection, this is easily remedied by using an alternative desktop environment. Windows, by contrast, has a horrid track record in this department.
Security – Despite recent improvements with Windows security, it's still the biggest desktop target on the web with regard to attacks. This won't be changing any time soon. Linux by contrast, has a fantastic desktop security track record.
Hardware support – This is always disputed, no matter how many times I mention it. But the fact is, when you bother to include older peripherals and hardware, Linux still outshines Windows all day long in terms of hardware support. Try running anything from the XP era on your Windows 10 desktop, let me know how good the driver support is. Under Ubuntu, it just works. Window's only advantage is having an edge with smoother graphics drivers.
Does this mean that Ubuntu Linux and other distros are doomed? Nope, especially when you jump out of the Apple/Microsoft echo chamber that is the United States. Linux desktop adoption is exploding all over the world. So while Microsoft continues their hold on the market here in the States, the rest of the world is already moving on.
To further illustrate my point: Refer back to my article on the Secret to Desktop Linux Adoption? As anticipated, the naysayers had ample reasons why techs would not only never participate, but to do so would translate into lost revenue. Besides being completely misinformed, I fear the greater point was missed as well. The article was quite clear in stating Windows AND Linux, not just Linux. To not offer a better-suited solution to someone struggling with Windows is irresponsible at best. It's unfortunate more people don't realize this.
Folks, depending on malware removal as a revenue source is a dated, faltering business model. As Windows 10 rolls out, I think we're going to start seeing greater evidence of this. It's already putting countless local repair shops out of business. The mailing lists I subscribe to are quite clear on this. Mobile, tablets and OS X are changing the industry.
Therefore once you realize your "malware removal" customers are already on their way out, wouldn't it make sense to adapt? Techs offering Ubuntu support as a service is not only profitable (I know of three companies doing well with it), this approach is the ONLY thing that would get the United States to catch up with the rest of the world in terms of desktop Linux adoption.
Ubuntu and other distros are ready for the desktop now. I have people running these environments all day, everyday. As a community, we need to get on the page with this now or accept that Windows has already won. I know where I stand, based on years of personal experience with clients and converts. Where do you stand? Are you part of the solution? Perhaps instead, you hold onto the farce that "Linux is hard" because you're unwilling to become the bridge of support others need to make the switch? What say you? Hit the Comments section to sound off.
Comments
Post a Comment