Corporate Partners

Vulnerability mythbuster: Windows, Flash good; Apple, Linux bad

Sourcefire's analysis suggests we've passed Peak Vulnerability, but our perceptions might be warped.

Have we beaten the hackers, at least on one front? The number of discovered and reported software vulnerabilities increased rapidly from 1988 to 2005, peaked in 2006, then started dropping. But they rose again in 2012. A glitch in a real decline? Or a turn for the worse?

Total vulnerabilities per year. Image courtesy: Sourcefire

Dr Yves Younan, senior research engineer with Sourcefire's Vulnerability Research Team (VRT), has analysed the entire CVE and NVD databases and his research, "25 Years of Vulnerabilities: 1988-2012", will be presented at the RSA Conference in San Francisco on Friday.

"What came as a big surprise to us was that the Linux kernel had the most CVEs reported for it for the 25-year period," Younan told CSO Online. "Another surprise here was that even though [Adobe] Flash Player has a bad reputation for security, it's actually not in the top ten for [total] vulnerabilities."

But simple vulnerability counts can give a distorted view. The Linux kernel is considered to be one monolithic project across the entire period, for example, while every version of Windows is a separate project. The total count of vulnerabilities for all Windows versions exceeds Linux. But then Windows is more than just a kernel. Add in all the software included in Linux distributions, and Linux goes back into the doghouse.

Younan counted just the high-severity vulnerabilities, those with a Common Vulnerability Scoring System (CVSS) score of 7 or higher. Windows XP tops that list. "Windows Vista is at the number five position, even though Microsoft put a lot of effort into securing Windows Vista," he said. "The Linux kernel isn't even in the top ten."

Vista was the first version of Windows to benefit from Microsoft's Security Development Lifecycle (SDL), the software development process created after Bill Gates' Trustworthy Computing memo of January 2002. Yet from the vulnerability perspective, Vista looks like little more than a rough draft of Windows 7.

Counting high-severity vulnerabilities alone, Flash Player is back in the top 10, at number five.

The count of high-severity vulnerabilities doesn't exhibit that 2012 uptick, only the steady post-2006 decline. However when looking at just critical vulnerabilities, those with a CVSS of 10, there's no sign of a decline at all.

When it comes to smartphones, Apple's iOS has the majority of vulnerabilities. "iPhone had more vulnerabilities than all the other relatively large players combined β€” Android, BlackBerry and Windows," Younan said.

"One of Android's advantages is that it's based on Linux, so a lot of vulnerabilities have already been fixed," he said. The predicted Android security nightmare hasn't happened. Yet. "Android [vulnerabilities] will probably rise in the next couple of years as they add more features."

Android does suffer from malware, however. "Those aren't necessarily exploiting vulnerabilities. They're just installed by the user. iPhone doesn't suffer from malware as much because of the closed ecosystem of the App Store."

Apple has also implemented mitigation strategies in the last few iterations of iOS, making it harder for vulnerabilities to be exploited β€” an echo of Adobe's mitigation approach to its Reader software.

Software vulnerabilities aren't the only factor leading to insecure systems, of course. "A Windows XP that's well-maintained would probably have less of a chance of being hacked than a Linux that's been ignored for a couple of years," Younan said.

Contact Stilgherrian at or follow him on Twitter at @stilgherrian

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags security

More about Adobe SystemsAppleBillBlackBerryCisco SecurityCisco SecurityCSOLinuxMicrosoftRSASDL




"What came as a big surprise to us was that the Linux kernel had the most CVEs reported for it for the 25-year period,"

Really? Linux came out late 1991, I want to know who reported these CVEs for the missing 3 years?



The biggest misconceptions about Linux or BSD variants is that we don't need security suites, no descent protection software. This is where people need to very careful on their thought process, as the popularity grows and people start demanding native applications, as an example, MMOs (massive multiplayer online video games) to be written for both of these operating systems, so too is the security going to need to be upped.

People in Linux and BSD have been living in a utopia up until now, thinking they're impervious to all these threats that nail Apple OS X (Darwin, a fork of FreeBSD) and Microsoft Windows installations which just isn't true. People need to become a lot more serious about their security, yes, Linux and BSD are coded better than Microsoft Windows series is but that doesn't mean we should rest on our laurels and see where the chips fall, we need to be proactive about our security measures and privacy.



Here is the problem when they speak of CVEs, they didn't say what kernel version and build number they were referring to when they did these reports also, we need to know what distribution they were using because, Linus also has source code for the kernels and schedulers inside the kernels. Some distribution organizations or independent developers edit that source code and rebuild the kernel package so it's not exactly the same as the original kernel source, which in and of itself can cause confusion in the Linux community.

While one source that has been forked off and someone does some minor changes to it to allow easier developing of say, drivers, to fit his / her idea of what it should be, that can introduce unintentional security holes (exploits) in coding. That much is true but to go after the Linux community as a whole is a bit problematic for that company.

Yes, it's true we do need to start looking at security suites and the like for Linux but the fact is when people report something as serious as this, they need to be very specific.



I largely agree with Alex in Comment 3 (I also agree with Myth in Comment 1 that 22 != 25, but I digress). Without knowing which kernels had which CVEs reported against it, and which distros shipped with those kernels and how many people used the vulnerable kernel and the averages of people updating on install... 'simply' citing the Linux CVEs are practically meaningless.

Comments are now closed

Market Place