Windows XP and Firefox browser amass worst vulnerability record over past 25 years

Both have more than 400 recorded vulnerabilities

In a look at the number of vulnerabilities recorded over 25 years in software products and open source, a researcher at Sourcefire has determined that Microsoft Windows XP and the Mozilla Firefox browser stand out as the two with the largest number of high-severity vulnerabilities.

Windows XP has had 453 while Firefox has had 433 vulnerabilities rated high and critical based on the Common Vulnerabilities and Exposures (CVE) database and the second source for the statistics, the National Vulnerability Database from the National Institute of Standards and Technology (NIST). High-severity vulnerabilities mean attackers can potentially fully compromise the user's machine. The total number of vulnerabilities for all the products and open-source software that has accumulated over 25 years has hit 50,000, according to Sourcefire, which is discussing the results of its research at the RSA Conference this week.

[MORE: 13 of the biggest security myths busted]

[MORE: Feds offer $20M for critical energy network cybersecurity tools]

In the 25 years of recorded vulnerabilities examined this way, there was peak of 6,612 vulnerabilities in 2006 but the worst year overall for high-severity ones was 2007 at 3,159 out of a total of 6,518, says Dr. Yves Younan, senior research engineer on Sourcefire's vulnerability research team.

There was a notable decline in annually-recorded vulnerabilities until 2010. In 2012, a total of 5,281 vulnerabilities were recorded. The good news is that for the first time ever, high-severity vulnerabilities only make up 33% of the vulnerabilities assigned CVEs; in the previous decade the average was 45%.

When it comes to smartphones, "the Apple iPhone by far has the most vulnerabilities reported for it," Younan says. The iPhone has seen 210 vulnerabilities while Google Android logs in at 24, Windows Mobile at 14 and BlackBerry at 11.

When it comes to the type of vulnerabilities in general for everything, the category of "buffer overflows" is the most predominant at 7,006 occurrences, with cross-site scripting a close second. Buffer overflows are also more likely to have a high-severity rating, with catastrophic consequences leading to wholly compromised networks after an attack. Last year, though, "access-control issues reigned supreme."

Sourcefire's report on 25 years of vulnerabilities also tackles what it acknowledges as a "controversial topic" reviewing vulnerabilities by vendor and open-source software grouping.

According to the report's analysis, the "10 worst offenders" from top down were: Microsoft; Apple; Oracle; IBM; Sun (acquired by Oracle); Cisco; Mozilla; Linux; HP; Adobe. In terms of limiting the rankings to just high-severity vulnerabilities, the list is similar, with Microsoft at the top, and Google added into the group and "Linux" dropped.

Sourcefire acknowledges that some may argue with its analysis here. The "Linux kernel" had the most CVEs reported for it at 937, but the "various iterations of Windows are considered different products, while Linux is considered a single product and Mac OS X are considered three products, which further skews the data." But Sourcefire says by combining the CVEs for all versions of Windows except the mobile ones, Windows is pinned with 1,114 vulnerabilities. Doing something similar for Linux as it did for Window by adding CVEs assigned to major vendors like Ubuntu and Red Hat, the Linux count goes to 1,752 vulnerabilities. Mac OS comes out at a total of 827.

For high-severity vulnerabilities, the product Windows XP earns the dubious position of the No.1 spot. "What's also interesting here is that of the top four browsers that have a total of 90% of the browser market share, Firefox has the most vulnerabilities in every category, followed by Chrome, then Internet Explorer and finally Safari," the report concludes.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail:

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Institute of Standards and TechnologysourcefireMicrosoftsecuritysoftwareWide Area Networkmozilla

More about Adobe SystemsAppleBlackBerryCiscoCisco SecurityCisco SecurityGoogleHPIBM AustraliaIDGLinuxMicrosoftMozillaOracleRed HatRSATechnologyUbuntu

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Ellen Messmer

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts