Top Most Vulnerable Applications and Operating Systems in 2010
Analyzing the data on 2010 from National Vulnerability Database reveals some interesting statistics.
This is the list of the top most targeted applications in 2010:
As more and more businesses and applications are moving to the web, browsers are the favorite targets for hackers and security researchers. These are followed closely by Adobe tools, Microsoft Office, RealPlayer and Java Runtime Environment.
The top most targeted operating systems in 2010 are the following:
Microsoft still remains the preferred target when talking about operating systems, followed very far behind by Linux, Apple Mac OS X and Cisco IOS.
From the data above we can see that 75% of vulnerabilities are targeting applications, 18% operating systems and 7% hardware devices (i.e. Cisco). This means that patching only Microsoft products is not enough. Adobe products, web browsers and Java Runtime Environment are the minimum set of other applications that must be monitored closely to ensure they are always fully patched for adequate security.
About the Author: Cristian Florian
Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.
This is great comparison and table.
Google Chrome isn’t that popular yet, so it is surprising that it is the number one target. However, attackers probably rely on the fact that Chrome is still new and many vulnerabilities haven’t been discovered yet. Otherwise, it is only natural that the most popular applications and operating systems are the most frequent targets.
Google Chrome is not that popular yet because it is relatively new but maybe it is the most attacked applications because of this – when an application is new, many unseen bugs appear out of nowhere. Otherwise, it is only natural that the most popular applications and operating systems are the most frequently attacked ones.
Joe Bursky – Google Chrome is not that popular yet because it is relatively new but maybe it is the most attacked applications because of this – when an application is new, many unseen bugs appear out of nowhere. Otherwise, it is only natural that the most popular applications and operating systems are the most frequently attacked ones.
Well, I guess we all know the reason why they’re the most targeted. They’re also the most popular. But what sets them apart from the other applications is they’re constantly updated by their developers. So although it’s making me anxious, I’m not completely worried.
Indeed, 2010 was a rich year in security updates. Microsoft alone has released 106 security bulletins, which is a company all time record.
Another reason why you should never buy pirated goods! Try it once and it destroyed my system. I lost almost all my files.
Since when do *vulnerabilities* “target” applications, operating systems, and such? They don’t! EXPLOITS target these. Google Chrome isn’t the most “targeted” browser – it simply is the browser that had the “high severity” vulnerabilities listed within the National Vulnerability Database for the previous year.
As far as what software is/was most frequently exploited via the Internet to install malicious code, Java and Adobe Acrobat/Reader are pretty much tied for #1, with nothing remotely close to being next in line.
@ Brian
Strictly speaking it is people who are targeting these. And the first step to create an exploit is to find a vulnerability.
The number of publically known vulnerabilities correlates with the interest hackers have to use the product as an attack vector.
Indeed today Adobe Reader vulnerabilities, for instance, are more important than Google Chrome ones because Adobe Reader is more widely in use, especially in corporate environments.
But Google Chrome is definitely on an ascendant path in capturing interest and becoming more “targeted”. The trend is obvious if we are looking at the numbers of vulnerabilities for it in the past three years (again the source is National Vulnerability Database):
2008 -> 11 vulnerabilities
2009 -> 31 vulnerabilities
2010 -> 152 vulnerabilities
I know that Java and Adobe Reader/Acrobat are widely exploited, but I don’t have exact figures. You are very sure that they are by far on the first place. Can you share with us the sources/facts that determined you to do this affirmation?
The reason Chrome is #1, Safari #2, Webkit #3, and Firefox #4 is because all of these browsers are open-source. When a project is open-source there is a much more transparent bug reporting method — most bugs found are considered potential security issues. On the upside, this means bugs are usually patched much more quickly than those in the closed source world.
Internet Explorer is closed-source which means it takes a little more work to discover flaws (but it doesn’t stop flaws from being discovered, as we all know). Moreover, Microsoft is under no obligation to report all vulns that they themselves find. If IE were open-sourced, you would see that it would have similar numbers to Chrome and FF.
@FOSS
Definitely Internet Explorer numbers would be higher if its code would be publicly available.
However the trends in the past years, when we take each browser individually, are not influenced by this.
For Internet Explorer the numbers are:
2007 -> 68
2008 -> 66
2009 -> 58
2010 -> 59
For Firefox they are:
2007 -> 77
2008 -> 93
2009 -> 128
2010 -> 103
For Safari they are:
2007 -> 41
2008 -> 39
2009 -> 70
2010 -> 122
As you can notice Internet Explorer is the only browser that is having a descendant trend in the last four years. This means that:
- Microsoft did improve security in the latest versions of Internet Explorer
- This is another way to show that Internet Explorer lost market share and the other browsers gained and therefore they become more attractive for hackers and security researchers looking for vulnerabilities
Great comparision, I am so glad to see Microsoft is trying what is possible to make its products better and secure. This information helps any person placed in a situation to decide which OS to use to make the right decision.
Great Work.
Brian
I’m surprised that Google Chrome OS and Chromium OS were not in the list for the most targeted operating systems in 2010.
The United States Computer Emergency Readiness Team stated last January 13, 2011 that “Google Chrome contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.”
Although this problem can be fixed through software update, it still proves that the Google Chrome OS is receptive to most OS vulnerabilities.
There is a perception that “As long as it’s not Microsoft then I am safe”. Microsoft has put security at the forefront on their products. Their patch cycle is much more robust than some other companies.