Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

The Most Vulnerable Operating Systems and Applications in 2011

on February 27, 2012

As a sys admin, you should try to keep abreast of all the latest and most important security updates for operating systems, applications and so long. Here is an in-depth look at some of the statistics around vulnerabilities that I collated for 2011.

To begin with, National Vulnerability Database (NVD) reports 3532 vulnerabilities in 2011. This means that last year about ten new security vulnerabilities were discovered each day. While the rate of newly discovered vulnerabilities is impressive, the good news is that the trend is on a descending path: 4258 vulnerabilities were reported in 2010 and the peak was in 2008, when almost 7000 vulnerabilities were reported.

number of vulnerabilities 2007-2011

vulnerability distribution by severity - 201143% of vulnerabilities discovered in 2011 are rated as having HIGH severity level. The percentage of critical issues is considerable and remains pretty constant over the years. High severity vulnerabilities usually mean that they can be exploited remotely with high impact on the targeted machines. Luckily the majority of vulnerabilities have a fix available from the vendors by the time they are disclosed to public. It is extremely important, however, to keep your network fully patched.

Vulnerabilities were reported for 722 vendors, but top 10 vendors gather 50% of vulnerabilities:

vulnerability table

Microsoft continues to have the highest number of critical vulnerabilities, but the total number of Microsoft vulnerabilities in 2011 is down to 244 from 318 in 2010.

An interesting trend can be observed for Google that in 2011 has the highest number of vulnerabilities reported in NVD, going up to 299 vulnerabilities from 155 in 2010. The majority of them are in Google Chrome.

85% of reported vulnerabilities are in third party applications, 12% in operating systems and 3% in hardware devices.

The number of vulnerabilities discovered in operating systems and hardware devices since 2008 has remained around the same levels (400-500 vulnerabilities in operating systems and 100-200 vulnerabilities per year in hardware devices). The situation is different for third party applications, where the number of vulnerabilities has constantly lowered since 2008: in 2011 are 3091 reported vulnerabilities as compared with 6378 in 2008. Practically in 2011 were discovered 50% less vulnerabilities in third party applications than they were discovered in 2008.

Most Targeted Operating Systems in 2011

OS Table

Microsoft operating systems are by far the most targeted, followed by Cisco IOS and Apple Mac OS X.

Google Android made its entry in the top this year. It will be interesting to observe its evolution in the next year as the number of Android smart phones and tablets increases at fast rate and it is expected to generate more and more interest from security researchers and hackers. The same applies for Apple iOS, which already has a good number of vulnerabilities.

Most Targeted Applications in 2011 

Application Table

The applications that have higher number of vulnerabilities reported in 2011 are – with small changes – the same as in 2010. Here are some highlights:

  • Web browsers and their add-ins continue to generate the most interest.
  • Along with the operating systems and web browsers it is mandatory to monitor and make sure they are always full patched: Adobe products (Flash Player, Reader, Shockwave Player, AIR), Java, Microsoft Office and other popular and largely spread applications like Apple iTunes, Apple QuickTime and RealPlayer
  • Google Chrome remains, as in 2010, the application with the largest number of vulnerabilities reported in NVD. More than that, the number of vulnerabilities reported in 2011 almost doubled compared to 2010, from 152 to 275.
  • Apple iTunes had an impressive increment of vulnerabilities discovered in 2011 as compared to 2010, from 8 to 78.

About the Author:

Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.

 
Comments
Steven Livetan March 7, 20121:08 pm

Thank you very much Cristian for this awesome, comprehensive and well-researched list. I’ve been looking for this for a long time now. However I’m not surprised about the results. Almost all Microsoft-based operating systems are failing – they’re on the red marks. Well, this is understandable as more and more attacks and hacks are done on Microsoft OSs. I’ve seen this trend since I was still in high school.

However, I’m quite surprised about the Apple iOS vulnerabilities. They’ve risen to 35 incidents year on year (2010 – 2011). I’m a huge Apple fan. In fact, all my gadgets are all Apples – tablets, PCs, laptop, and a cellphone. I have an iPhone and so far I haven’t experienced any vulnerability incident. Maybe it depends on the user. If you’re careless or negligent, then expect more harm coming your way.

Clyde O'maha March 7, 20126:45 pm

What’s with Google Chrome?!!! – The vain of the web browser family. I just don’t get why Google created it in the first place? The browser family is already full. Google said it’s the “fastest web browser” on the planet but I highly doubt it. I tested how fast it is when compared to my tried and test Mozilla Firefox and it’s almost the same +/- one to two seconds difference in loading most webpages.

Chrome’s edge over the other browsers is only when you’re streaming / watching YouTube videos – that’s it, no more no less. But can you sacrifice security over how fast a web app could be? For me not. I’d rather use a less vulnerable software than utilize one that’s full of bugs and useless features.

Brian Haines March 15, 20125:04 am

Sad about Google Chrome as it is my browser of choice. It is in fact faster. I am thoroughly annoyed at long Firefox takes to open and how long IE takes to relinquish control.

Chrome is faster. I hope thhey get better at security.

Jerome Paulines March 16, 201212:07 pm

I both have a PC (Windows 7) and a Mac (Lion OSX). I also use two web browsers – Internet Explorer on my PC and Mozilla Firefox on my Mac. I don’t have problems with four these applications. The only major headache I have is with its plugin – particularly the Adobe Flash player program on both web browsers. Most of the time, especially when I open up to five YouTube videos or play Flash-based games, the browser plugin crashes. Sometimes, because of the Flash player crash, the browser also crashes.

I can’t wait for HTML5′s full implementation to the World Wide Web. It’s a great alternative to the Adobe Flash Player web browser plugin. It could even kill the said app.