Top 15 Most Vulnerable Applications
Which were the most vulnerable applications in the first half of 2010?
Below are the results after processing vulnerability data feeds as of July 7, 2010 from National Vulnerability Database (NVD), which is the U.S. government repository of standards based vulnerability management data:
Interesting highlights and remarks:
- Web browsers are the most targeted applications. They hold the top four places. Other popular targets for hackers are Adobe products, Java Runtime Environment and Microsoft Office.
- Discussions about which browser is most secure do not make much sense. They all have quite a number of new security vulnerabilities. Probably a safe web browser is one which is used by only a few people and therefore is not popular enough to get attention from hackers. However, on such a browser a lot of sites will not work simply because most developers only test their site on the top most used browsers.
- Adobe, Microsoft and Mozilla have the most products in the top 15:
o Adobe – 5 products
o Microsoft – 3 products
o Mozilla – 3 products
o Oracle – 2 products
o Apple – 1 product
o Google – 1 product
According to NVD new security vulnerabilities are published with a rate of 16 per day. Vendors are forced to release a lot of security updates to keep their products secure; therefore a vulnerability management tool like GFI LANguard can be very helpful. Currently LANguard can automate patching for 11 products out of the 15 mentioned above. Here is the full list of supported non-Microsoft products.
About the Author: Cristian Florian
Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.
Safari is number 1? Really? I’m surprised! I would have thought for sure IE would have had that spot. Very interesting!
Same here! Very surprised that IE isn’t at the top spot here.
Only listing numbers (of vulnerabilities in this case) is not a reliable index how secure the product is. So Firefox has almost the most vulnerabilities, but they are also the most quickly patched (within weeks in average). While IE, on the other hand, has lower number of vulnerabilities, but it takes much longer for Microsoft to patch them (within months in average).
Naturally, while Firefox is OpenSource and everyone can see and inspect the source code, more vulnerabilities are also publicly revealed. IE is proprietary product (closed source) and many vulnerabilities discovered are actually never publicly revealed (if possible).
What do you think now – which one of these two is more secure?
This does not take into account the time each of those manufacturers take to present a patch to fix an issue…
When Internet Explorer was the absolute king of web browsers, it was the natural choice to look for security weaknesses.
Now the increased usage of Firefox and high media attention that Apple gets lately made them high priority targets for hackers and malware, while Internet Explorer 8 has made important progress from a security point of view when compared with previous versions.
Anyway all important browsers have plenty of vulnerabilities. It is hard to say which one is more secure. What is certain – and it can be noticed from the number of vulnerabilities – is that Safari, Firefox and Chrome got important enough to be attractive for hackers.
@ Robert Okadar and Micke
As I stated in the article I think that all important browsers are vulnerable to an extent and that makes discussions on which is the most secure/less vulnerable quite irrelevant.
Indeed numbers of vulnerabilities do not cover all security aspects of a product, but they do offer important information. They indicate which products are the preferred targets for hackers and malware. They show network administrators which applications need more attention and must be considered as high priority for patch management.
Regarding the time that vendors need to fix vulnerabilities – as you correctly say, this is an important metric when talking about product security. However, equally or even more important is the time taken for users to apply the patches made available by the vendor. From this perspective it is easier to manage patches that are released on a regular schedule as Microsoft does. This tends to leave companies with less time between deploying Microsoft updates than the time needed to deploy updates for other vendors like Mozilla or Adobe.
Sue, I am just as surprised as you. Safari at the top spot and IE last among the major browsers. You would have thought someone made a mistake and got the data wrong. It also doesn’t seem to follow since one would assume that among these browsers, Safari would have the least users (http://en.wikipedia.org/wiki/Usage_share_of_web_browsers) Now why would an attacker give the time of the day to attack a browser that’s least used? Interesting indeed.
@ Hansel
I assume Safari has recently become attractive for attackers because of the success of iPhone and iPad.
Wish such articles would clarify “vulnerability” from “exploit”. Apple has the more vulnerabilities, I suspect, because they are used to security through obscurity, which is actually starting to change in the black hat community. There is a certain arrogance to their patching patterns based on the fact that surprisingly few exploits have targeted Mac OS installations. Apple is somewhat notorious for having long cycles between being alerted to vulnerabilities and actually issuing security updates. Something which will eventually bite them big time I suspect.
There are far fewer exploits written against the newer revs of browsers simply because the economy of scale has the majority of black hats going after the best bang for the buck which means they will concentrate on the most installed applications, and focus on known code bases.
It’s also hard to know what to think of a single lumping of “Internet Explorer” since the IE8 code base is very different from IE7, and both are very different from IE6 which is generally regarded as the champ for successful exploits among browsers. For that matter, lumping Safari as if it was a single application code base is equally misleading. Safari for OSX vs. Safari for Win are different beasts entirely, and I personally wont allow Safari for Win on the system I administer because of it’s history of being poorly written (and Apple’s lax patching history) more than concerns for risk.
While this is useful information it addresses too few variables to be useful in determining which apps are the most exploitable.
I have to agree with a lot of the sentiments here. I was utterly surprised that Apple’s Safari took the top spot which I thought would’ve been a shoe-in for Microsoft’s Internet Explorer. It’s no surprise that browsers are high up in the list, but with Google’s Chrome being a recent addition, I’m still shocked that it surpassed IE so quickly. I think it’s about time I re-evaluated the browsers being used in the office now.
I’m now left wondering if the drop in IE security concerns is due to a lot of users migrating to other browsers. It may not be that IE is increasing it’s security, but rather, other browsers are being exploited more.
I know that there’s a direct correlation between the size of a program’s user base to the amount of security exploits; but what I didn’t figure was that the correlation would be this influential on the actual numbers.