Most vulnerable operating systems and applications in 2013

http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/

 

Interesting how many vulnerabilities were found in the Linux kernel, but then look at how many of those were medium-low vs Windows' amount of high.

Windows 8's extra mitigations are obviously helping to reduce the amount of medium-low vulnerabilities it has encountered by a massive sum, but the amount of high doesn't seem to have changed much across versions. My bet is weaknesses in legacy code that is affecting all versions of Windows.

 

From the link

# of High vulnerabilities in OS's of 2013

W7 = 55
Vista = 52
XP = 47
W8 = 43

~Removed copyrighted image ~picture can be found here
http://www.gfi.com/blog/report-most-vulnerable-operating-systems-and-applications-in-2013/


So XP not that bad after all

 

I don't see how it's "not that bad at all" for an OS, which codebase hasn't changed in a decade, yet is still getting hit by the same amount of exploits as active operating systems.

I wonder how you will feel when 1 year down the line there will be 45 high rated exploits not patched, then a year after that, 90 high rated exploits not patched, then 135 high rated exploits not patched.

I guess that's "not bad" also..? I suppose I'm preaching to the choir saying this though. Linux is free, move on already.

 

Xp in the hands of a knowledgeable user is as secure as any succeeding version of Windows and much more secure than any OS in the hands of someone who is careless and not knowledgeable in security. Code vulnerabilities that can be exploited are just one aspect of security. I don't know of a chart that of vectors of malware infections and what percentage are caused by what but I would guess that there are far more cases caused by user carelessness and ignorance than exploits.

 

Vulnerability count is one thing. Exploitability is another thing.

XP simply has no ASLR. Heck, there is no proper user vs admin separation. Linux and Windows Vista onwards do. There is no way XP can be as secure. No amount of so-called knowledge can compensate that.

Instead, what knowledge gives is the ability to identify and avoid being a victim of the common malware vectors. Examples include avoiding Java, browser hardening, etc. One aims to reduce likelihood of infection by securing the perimeter. Securing the perimeter can be done on any OS.
One is not the same as the other.

Social engineering is a human problem regardless of OS. One can be smart or be stupid and yet fall for social engineering. It all depends on habits and how much risk one exposes oneself to.

Can one stay safe on XP? Probably. Can you call XP as secure as modern OSes? No.

 

Xp, and all NT based Windows systems, have a proper user/admin distinction. The problem is that MS doesn't set it up for the average user by default. Out of the box, you are in an admin account and it is up to the user to set up a user account with limited privileges. Out of the box security has improved with succeeding versions of Windows but the base is pretty much the same. Most users don't use what the OS has to offer in terms of security. Sys admins that set up business systems do. It takes some knowledge to set up a appropriate file permissions and group policy to secure an Xp system but if it is done right, that Xp system will be far more secure than and Windows Vista,7, or 8 out of the box.

 

Trust me...I know all that. My fault for not making myself clearer. What I meant was there is no User Interface Privilege Isolation and Integrity Levels.

http://wikipedia.org/wiki/User_Interface_Privilege_Isolation
http://blogs.msdn.com/b/vishalsi/ar...erface-privilege-isolation-uipi-on-vista.aspx

http://wikipedia.org/wiki/Mandatory_Integrity_Control
http://msdn.microsoft.com/en-us/library/bb625957.aspx