Most vulnerable operating systems and applications in 2014

Discussion in 'other security issues & news' started by ArchiveX, Feb 24, 2015.

  1. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,015
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    There are so many inaccuracies there it's not even funny. Failure to distinguish between userspace and kernel bugs for starters...

    Also I'm dubious about the methodology of "let's see who has the most vulnerabilities." That could just indicate more intense bug-hunting. IMO a better measure would probably be the percentage of vulnerabilities rated as critical, as determined by a third party.
     
  3. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Stupid question time:

    Why would SeaMonkey have fewer vulnerabilities than both Firefox and Thunderbird? :confused:

    I started using the latest version of Thunderbird and Firefox (third-party builds) because I thought they would be more secure than SeaMonkey.
     
  4. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Assuming that each has been equally tested and the numbers are accurate (which may be quite an assumption in itself) the vulnerabilities may exist in features found in one but not the other. FireFox is seeing a lot of feature creep. SeaMonkey sees a lot less. Unlike FireFox, it doesn't update on a constant basis just to keep pace with Chrome. IMO, that rapid updating increases the chances of major bugs and vulnerabilities slipping by because they aren't allowing enough time to thoroughly inspect and test the code.

    One would have to compare the individual vulnerabilities for each to see which are shared and which are unique to each, then see where each comes from.
     
  5. prius04

    prius04 Registered Member

    Joined:
    Apr 14, 2007
    Posts:
    1,238
    Location:
    USA
    Well, it actually makes perfect sense. Thank you for that. After taking another peek at the numbers, SeaMonkey and Thunderbird are pretty close in terms of the total number of vulnerabilities (again, as you stated, assuming those numbers are even accurate) so I suppose it all does, in fact, come down to the rapid update cycle of Firefox.
     
  6. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,015
    Isn't NVD reliable enough? :confused:
     
    Last edited by a moderator: Mar 6, 2015
  7. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    It's a vulnerability database. It contains whatever has been reported to them. If someone reports a FireFox vulnerability, they don't test the same exploit against every other browser in existence. Those who discover the vulnerabilities should do that. SeaMonkey isn't as mainstream of a browser as FireFox. It's entirely possible that they didn't test SeaMonkey.
     
  8. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    SeaMonkey Code doesn't seem to be popular to exploit. I found none listed since 2010. Three noted here:

    http://www.cvedetails.com/vulnerabi...oduct_id-7048/hasexp-1/Mozilla-Seamonkey.html
    • exploited in the wild in October 2010 by the Belmoo malware.
    • attacks via a Trojan horse dwmapi.dll
    • remote attackers to execute arbitrary code via a large text value for a node
    ----
    rich
     
  9. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    That article is a perfect example of how statistics can be made to say anything that you want them to. Notice how all of linux kernel is lumped together while each Windows OS is listed separately. At first glance, it makes linux look like it's had 3 times as many vulnerabilities. Total Windows together and the results give a completely different view. That said, the listing also shows that some things never change, like Internet Explorer having more total vulnerabilities than any other browser and more critical vulnerabilities than all of the other browsers together.
     
  10. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    I noticed under top applications vulnerabilities Mozilla Firefox is listed as having more vulnerabilities in all
    categories than Mozilla Firefox ESR which doesn't subscribe to the same rapid-release cycle.
    Makes you wonder about Firefox rapid-release updates.

    The same article under UPDATE:
    Either I'm not understanding this correctly or the author of this article posted incorrectly.

    Windows ( 7 OS combined)
    # of vulnerabilities - 248
    # of high vulnerabilities - 168
    # of medium vulnerabilities - 80
    # of low vulnerabilities - 0
     
    Last edited: Feb 26, 2015
  11. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I'd guess the difference is that many of the Windows versions share the same vulnerabilities. As for the difference between FireFox and FireFox ESR, it's hard to come to any other conclusion besides rapid update produces vulnerable code.
     
  12. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    That's true. Many Windows security updates can apply to the different Windows OS which could have the same vulnerability. So the number of vulnerabilities quoted in the article is correct? If so then I misunderstood.

    One of the several reasons why I left Firefox was because of the rapid-release cycle they implemented.
     
    Last edited: Feb 25, 2015
  13. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    If one can assume that each OS has been tested with each vulnerability, the numbers might be close. That said, there's another problem with those figures, specifically what is and isn't included in those Windows numbers. They clearly don't include Internet Explorer, even though it's part of Windows. Do they include Net Framework and other Microsoft wares that are part of all Windows installs? Microsoft likes to claim that Internet Explorer can't be separated from Windows, but then claims that it's not integrated into Windows like IE6 clearly was. AFAIC, if you can't remove Internet Explorer, it's part of Windows and its vulnerabilities are those of Windows. The fact that the majority of Internet Explorer vulnerabilities are rated "high" only confirms that they are integrated.
     
  14. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    From article:

    Forgot that, but like you said does this include all Microsoft wares in a Windows install?
    Net Framework can be exploited and if using EMET has to be installed. Article needs to be
    more specific in what exactly is vulnerable and separate findings more clearly.
     
  15. ArchiveX

    ArchiveX Registered Member

    Joined:
    Apr 7, 2014
    Posts:
    1,015
    There is an Article UPDATE (go HERE and scroll further down...)
     
  16. pandlouk

    pandlouk Registered Member

    Joined:
    Jul 15, 2007
    Posts:
    2,551
    Very true.
    Grouping together high, medium and low vulnerabilities is another way to create a false vulnerability statistical report.
    The most vulnerable system is not the one that has the higher total number of vulnerabilities but is the one that has the highest number of critical vulnerabilities...:rolleyes::isay:

    Panagiotis
     
  17. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    I very much dislike articles that use the number of vulnerabilities as a criteria for evaluating the security (or lack thereof) of software. Depending on how you choose to interpret the results, the numbers can be made to say most anything. Their rating system tells you almost nothing. Is their "high" rating the same as the "critical" term others use? One could look at the numbers for the Windows operating systems and conclude that there's no real difference between them. Comparing FireFox to the ESR version, which of these conclusions fit?
    1, the developers care more about the new versions than they do the ESR version?
    2, the new versions have almost twice as many coding errors and bugs as the ESR version?
    3, they're not testing the ESR version for vulnerabilities found in the current versions?
    Without digging way past the numbers, there's no real way to tell.
    As complex as software is anymore, vulnerabilities and bugs are inevitable. The quantity found means very little. What matters IMO is what an attacker can do with those bugs. If the attacker find a weakness in a browser, how useful is it to him? What does it give him access to or control over? If the bug doesn't lead to anything beyond the application itself, it's minor. If they regularly give an attacker kernel or system level access, the coding is garbage and the application is a security disaster in the making, which brings us to Microsoft code. If one trusts those numbers to have any real meaning, there is one consistent pattern with Microsoft products. For any vulnerability found, there's at least a 2 out of 3 chance that it will be serious. With Internet Explorer, 90% of the vulnerabilities found are serious. Internet Explorer always has been the biggest security liability in Windows, and still is. That's why I strip it out of every PC I have.
     
  18. tlu

    tlu Guest

    Indeed. A nice example is the latest Thunderbird update. It fixes 5 vulnerabilities marked as "critical" or "high". Now, for 4 out of those 5 vulnerabilities (2015-12 is the only exception) Mozilla adds the following statement:

    So those vulnerabilities are marked as "critical" or "high" because Mozilla is over-cautious (or those bugs were possibly also contained in the Firefox code) although they actually didn't pose a risk for Thunderbird users. Nevertheless, they would have been counted by GFI ...


    Regarding Microsoft, one could also question if they really publish all bugs/vulnerabilities they find in internal audits. Nobody can really verify that due to being closed source but I seriously doubt that they do. Whereas bugs in open source products are never kept secret. That's another reason why such bug counting is utter nonsense.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    Agreed. I also wonder how many are released to 3 letter agencies and never fixed, or fixed much later when someone else finds them. The more interesting question is why are 90% of the Internet Explorer vulnerabilities considered high or critical? Why is the percentage so much higher than other browsers? IE6 was a security disaster because of its integration with the operating system, a situation that they claimed they would remedy. The only conclusion I can come to is that Internet Explorer is much more connected and integrated with the operating system than Microsoft would lead us to believe. Their "fix" appears to be that they've hidden this integration instead of eliminating it. An Internet Explorer vulnerability still results in an exploited system 90% of the time. Nothing has changed but the version numbers.

    I'd also have to wonder about the vulnerabilities Google finds in their own code, how many of them go unreported.
     
  20. KeyPer4Life

    KeyPer4Life Registered Member

    Joined:
    Dec 18, 2013
    Posts:
    974
    Google Fixes 51 Vulnerabilities With Release of Chrome 41.
    13 were considered high-severity and 6 were medium-severity vulnerabilities identified by external researchers.
    Several vulnerabilities have also been discovered by the Chrome Security Team.

    http://www.securityweek.com/google-fixes-51-vulnerabilities-release-chrome-41
     
  21. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Yup, I also thought the title is misleading and don't understand why some people take simple number of vuln found as a balometer of the program's security.

    However, one thing I'm impressed about Windows is it has added many mitigations against exploit and some other threats after they experienced terrible infection in XP era.
    Somehow those many mitigations, especially memory mitigations seems to have not been closed up here, and one problem is they are available only on latest Windows in that time, but I think in this particular regard Windows go ahead of Linux (I know ASLR was originally introduced in PaX, but speaking generally). Ofc it doesn't mean Windows is better in exploit overall, actually most of them are finally bypassed but their effort should be correctly acknoledged.
     
  22. tlu

    tlu Guest

    Can you be a bit more specific why you think that? FWIW, this site is an excellent overview of the security features implemented in Ubuntu.
     
  23. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Thanks for the link but unfortunately that site don't give much details, I'll appreciate you or someone can give more detailed info about Linux memory mitigation (especially against user mode exploit), as I admit I'm not familiar with, but so far in all my best knowledge Linux don't have as many improvements as Windows.
    Also many of mitigation listed there are options which program builder and/or end user have to enable/install (not to mention it includes many other security features like encryption).

    As to compiler option, GS Cookie in Visual Studio have been improved much from 2002 to 2010, as a response to new techniques. And we know SafeSEH as a compiler option evolved to SEHOP as an OS mechanisim.

    Matt Miller gives good info around these. e.g.
    http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf

    Let's see heap overflow mitigation (some of them prevents use-after-free), firstly Safe Unlinking & Heap entry header cookie are introduced in XPSP2 and Server2003.
    In Vista,
    - removed Lookaside List and introduced LFH
    - Heap entry cookie is now XORed with random number
    - strengthened check sum to detect over-flow
    - base address randomization by ASLR
    - Function pointer in heap structure is XORed with random number

    This blog gives info about them and what those mitigation protect against.
    http://hick.org/~mmiller/presentations/misc/exploitation_techniques_and_mitigations_on_windows.pdf

    In Win8, even more improvements are made.
    - bit-map based LFH allocation
    - removed catch-all exception handling block
    - forbidden freeing heap handler
    - CommitRoutine in heap structure is now encoded with outer value
    - checking extended block header
    - forbidden re-allocation of block in use
    - enabled heap encoding in kernel mode
    - LFH block allocation is randomized
    - Gurad Page to detect and block heap based attacks

    http://blogs.technet.com/b/srd/arch...tigation-heap-corruption-vulnerabilities.aspx

    Finally Win10 introduced fine-grained CFI.
    https://www.wilderssecurity.com/threads/exploring-control-flow-guard-in-windows-10.372972/

    I think these are just a reflection of exploit evolution against Windows, but at least in PoC level there have been many exploit techniques against Linux too and they (researcher or computer geeks) bypassed all mitigation available on Linux, just like Windows.

    P.s. I don't understand all of those mitigation.
    P.p.s. pls do not read too much into what I said.
     
  24. guest

    guest Guest

    Control Flow Guard is also available since Windows 8.1 Update 3 iirc.

    With regard to that GFI blogpost:
    In one word: **possibly offensive word removed**

    vulnerability != exploit and far from all vulnerabilities are exploitable.
    Even more, it might take two months of development to write a zero-day exploit for a certain application. (Sometimes just a few days)
     
  25. tlu

    tlu Guest

    Neither do I :D

    I just thought that you might have some insights which could be explained in laymen's words ;)

    Just note that on the site I linked to are relatively detailed pointers to features mentioned by you (ASLR, Heap protection etc.). On the other hand, Linux offers security features whcih are not available in Windows (like seccomp, MAC).
     
Loading...