Not logged in » Login
Jan 05 2017

Looking for Truly Vulnerable Software? Check Out This List!

Every year, IT security pros of all experience levels welcome the arrival of what could sarcastically be dubbed the "Golden Raspberry Awards of Software" – meaning, the list of software products with the most security holes in them, as recorded by Mitre Corporation in its Common Vulnerabilities and Exposures (CVE) database in the year leading up to the list's publication. The winner of the 2016 Un-Award for Most Bugs Reported was Android with a whopping 523 distinct vulnerabilities logged in the CVE.

According to a Top 50 (sic!) list published by CVE Details – the Mitre branch that explains how single vulnerabilities function – Google's mobile OS "won" last year's contest by a great margin, leaving behind Debian Linux and Ubuntu Linux, which came in second and third with 319 and 278 vulnerabilities respectively. Adobe's Flash Player ranked fourth with 266 bugs, followed by a piece of software identified as "Novell Leap" (most likely the stable branch of openSUSE Linux) with 259. Positions no. 6 through 9 went to the "regular" (rolling release) distro of openSUSE, Acrobat Reader DC, Acrobat DC, and Acrobat – all with around 225 vulnerabilities. The Linux kernel finished tenth, with 216 bugs.

At first sight, these results seem to confirm the notion (or prejudice) that open source solutions are less secure by design than traditional, closed-source software. But like many other charts the CVE Details list leaves lots of room for interpretation: first off, it includes operating systems as well as applications – which seems somewhat unfair, since operating systems typically have a much larger code base and are thus more error-prone than single applications, even if we talk about legacy software like Flash or Acrobat. Second, when grouped by vendors, the results indicate that traditional software houses have unleashed more bugs on an unsuspecting public than their open source counterparts – here, Adobe took the crown with 1,383 vulnerabilities, followed by Microsoft with 1,325. By contrast, Google ranks as a very distant third with a total of "only" 695 security gaps, despite its involvement in numerous open source projects. Somewhat surprisingly, Apple took the fourth place in the "vendor contest" with 611 vulnerabilities, more than one third of which (215) resided in recent editions of Mac OS X (now macOS).

Another reason why the CVE Details Top 50 list may offer a slightly distorted view is that open source projects are usually more open about mistakes that coders make and quicker to fix them, provided they have enough developers and money at their disposal. On the other hand, Adobe, Microsoft and others have often been blamed for being slow in delivering information about critical security issues or worse, waiting out possible issues until they expire. Meanwhile, Google has to grapple with the unwanted side effects of code fragmentation: a large chunk of the problems that made Android the most vulnerable software of 2016 resulted from the company's rather liberal code regime, i.e. its willingness to allow smartphone and component manufacturers as well as carriers to add their own apps and drivers and run their own update/upgrade cycles. As a result, in early December more than seven in ten visitors of the Google Play Store (70.8%) appeared to be stuck with Android versions that were released between July 2012 and March 2015 and are therefore outdated and insecure.

For more details, see Richard Chirgwin's piece at The Register.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now