back to article Who's riddling Windows PCs with gaping holes? It's your crApps

Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software. That's according to security biz Secunia, which analysed flaws found in the most-used 50 Windows programs - 29 from Microsoft (including its operating system …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
WTF?

Re: 9 out of 10 ???

Given that there are probably 3 or 4 orders of magnitude more 3rd party apps than there are microsofts own efforts I find it rather worrying that MS still - if the report is to be believed - manages to provde 10% of these vulnerabilities.

0
1
Anonymous Coward

Re: 9 out of 10 ???

But the 10% was based on 60% of the apps in the list being looked at being from Microsoft....

0
0
Anonymous Coward

Anti-trust much?

"The biz collected the figures from anonymised data gathered from system scans by the millions of users of Secunia's patch management software, Personal Software Inspector."

How is that any different from malware digging through your installed software for future attacks and data slurps, anonymised or not it's still a breach of privacy.

0
3
Anonymous Coward

Re: Anti-trust much?

Erm - but this is by choice - and it automatically downloads and patches all of your 3rd party software. I use it - great tool.

2
0
Anonymous Coward

Re: Anti-trust much?

I guess everyone agreed to it when they skipped the Ts&Cs...

0
1
Anonymous Coward

Re: Anti-trust much?

Two things - Anti Trust is not "a company are not trustworthy" as you seem to think, it's preventing companies forming trusts and controlling the market through their dominance.

Also, the difference between secunia's tool and malware is that with secunia you agree to them scanning your system and using the data.

2
0
Anonymous Coward

Re: Anti-trust much?

I wonder if someone can sneak a "You're obliged once you agree to this ToS to surrender your first born to <company name>", probably google could get away with it.

0
0
Anonymous Coward

Re: Anti-trust much?

They could, but they'd be foolish to as it would constitute an illegal contract and (IANAL) I think would invalidate the whole contract.

0
0

Re: an illegal contract and

Close but not quite.

It would be an illegal condition of the contract and as such that condition would be struck but usually not the entire contract. In order for the whole contract to be struck the court would have to determine that the removing the condition would make the rest of the terms of the contract unenforceable.

A more interesting problem is that in order for a contract (and therefore a contract to issue a license) to be issued, some of value must be exchanged between parties. Now while I assume that in the case of updates to MS software the "free" downloads could be considered modifications to the original, but it is an interesting conundrum for other free downloads like Reader, Flash, and Java.

0
0
Silver badge
Childcatcher

Re: Anti-trust much?

A slight correction: it will automatically download and patch all the 3rd party software that it has in its db and that you have allowed it to handle automatically. I have run into a few cases where it did not recognize an app. It will also notify you of Windows patches needing to be updated, though it will point you to the MS Update site. It can be configured to prompt for install rather than run automatically. It will not look for or install all updates, only those that have to do with security. Finally, you can exclude an application if you for some reason do not wish it to be scanned for updates.

This is not to say that there is anything wrong with the application. I have used it for years and plan on continuing to do so. In fact, I appreciate that I have these choices available. I set automatic installs up for my family who live hundreds of miles away (cuts down on unpaid, after hours support calls), but review updates on my own system before installing.

0
0
Bronze badge
Mushroom

.net?

.net - isn't that a suite of addon shit that take longer to install than a full OS, has more potential for updates failing than an HP Printer Driver and most people haven't got a clue why it's on their system in about 5 entries in programs&features? And isn't it just basically an API for windows APIs, in other words should have been part of the OS in the first place? Or am I wrong about that too.

And Java? unless there's a specific application, you just don't need it. So some goofy websites don't work. Better than the whole OS is broken due to a drive-by virus download!

4
2

This post has been deleted by its author

Anonymous Coward

Re: .net?

You are wrong about most of that. Since when did you hear of a critical .Net vulnerability being exploited in vast numbers like the Java ones are? Considering .Net is on every Windows PC, it would be a massive target if it was an issue.

About the only thing that is correct is that it takes a long time to install and to update. There are good design reasons (and fixes) for that: http://support.microsoft.com/kb/2570538

1
5

Re: .Net vulnerability being exploited in vast numbers like the Java ones are

You are comparing the wrong things, a platform against a language. A fairer comparison in respect to the java security issues would be silverlight and applets. Other java platforms/deployment environments are not affected, only applets.

1
0
JDX
Gold badge

Re: .Net vulnerability being exploited in vast numbers like the Java ones are

As a developer, .net (well C#) is bloody lovely.

2
3
FAIL

Re: .net?

Yep, you're wrong on just about everything you said.

First off, there hasn't been many updates and of those I haven't seen any fail. Second, no it doesn't put crap in your programs and features area. It's not just a wrapper on the windows apis, and it has been included since win7. It's also unlikely someone would even know its on their system. Quite frankly I'm pretty sure you don't know what .net is.

You are right about java though.

0
1
Trollface

of course C# is lovely

... given it's basically pirated Java. It does some stuff better language-wise, but it suffers from being tied to MS platforms.

0
2
JDX
Gold badge

Re: of course C# is lovely

They pirated an open specification? Good one. I suppose D pirated C++ and C++ pirated C?

C# is way better than Java these days.

2
3

The numbers are misleading

Although I buy into one of the central messages of this article (apps. are as much a source of vulnerability as the underlying OS), the numbers are misleading: they refer only to known issues. What the total number is (i.e. including the actual, but as yet unknown, issues) is anybody's guess. And anybody does have a habit of guessing, doesn't he?

1
0
Holmes

crApps

Don't those same crApps run on Linux too ? I have Java and Flash ... no issues here ... what's the difference ?

1
1
Anonymous Coward

Re: crApps

Market share on the desktop. <1% versus 90%. No one bothers to target Linux.

If you look at OS-X - which has far more security holes than Windows - that only started getting attacks once it hit ~ 5% market share.

If you look at a market where Linux is actually used like web hosting - it gets successfully attacked far more than any other OS.

2
4
JDX
Gold badge

Re: crApps

Good point about servers... how often do we see Linux servers compromised via vulnerabilities in PHP, Worpress, and other 3rd party applications. In the web world, admins are already aware that keeping those apps updated is super-important.

2
3

@AC

Market share on the desktop. <1% versus 90%. No one bothers to target Linux.

Change this song, won't you? Why aren't you *blaming* GNU/Linux platform diversification, e.g.?

As for the "<1%" thing. First, suggest Microsoft and OEMs to stop bundling and imposing their OS to dilute that 90% figure. Also, please reveal the law governing this correlation here? Linear, polynomial, logarithmic or doubly logarithmic? There is still no analogue of stuxnet, Loveletter, conficker that could spread and self-replicate on GNU/Linux on a portion of those millions of affected units?

If you look at OS-X - which has far more security holes than Windows - that only started getting attacks once it hit ~ 5% market share.

That's certainly not true. I do hate Apple more than Microsoft, however you can't blame their vulnerability holes for the flashback fiasco (the only one we know). It's Java that was moronically unpatched for 6 months, Apple's retarded managers, not the sheer numbers of vulnerabilities.

As before, vulnerabilities should be assessed according to their weight and the volume of the sample, the software. In that regard, a remote arb. code execution is many times heavier than a DoS issue requiring a physical presence and a user account, similar to those that were just being patched on Tuesday. Or, look here for instance. Sometimes, one doesn't need to exploit vulns, at all, use some OS "features" instead, like AutoRun, file extensions acting as file permissions, lack of secure repositories etc.

When you try comparing 42 gig strong of an average full GNU/Linux distro carrying millions of packages (where only several percents are installed, on average) with a few Microsoft products, this is a pretty sloppy Actuarial Math (trust me with a 10/10 result on the 2006 P1 Actuarial exam ) .

- it gets successfully attacked far more than any other OS.

And where can I read a reliable source producing this statistics? Thanks.

1
0
Silver badge
Mushroom

Re: @AC

Not quite sure what your point is, but the fact is that pretty much no one uses Linux on the desktop regardless of if you agree with the 90% number for Microsoft or not.

That certainly is true - Secunia shows 1,840 Vulnerabilities for OS-X- Versus about 450 for Windows XP - Microsoft's highest vulnerability OS ever. The studies by Jeff Jones show that Apple OS-X has more critical vulnerabilities than on average take longer to get patched than Windows.

Jeff Jones also did comparisons with 'package adjusted' Enterprise Linux distributions versus Windows and the same is true - more vulnerabilities with more days at risk on Linux. This has been the case every year since 2004.

Here are some statistics for you based on public records and 1.5 million incidents: http://www.zone-h.org/news/id/4737

1
2
Silver badge
Mushroom

Re: @AC

"There is still no analogue of stuxnet, Loveletter, conficker that could spread and self-replicate on GNU/Linux on a portion of those millions of affected units" - there have been a number of previous Linux based worms that self replicated. Just Google 'Linux Worm'

0
2

Re: @AC

It wasn't me that actually downvote your comment, however cannot agree with your claims.

1) not arguing the numbers, however they might be different.

2) as far as Apple is concerned, their decision to let exploitable version of Java linger on users machine (when it shouldn't have been there in the first place, even patched) is what Apple managerial position, and proprietary attitude is all about. Yet, it has nothing to do with overwhelming number of "supposed" vulnerabilities, while in the case of MS we can recall stuxnet (and its kins), conficker etc

3) the defacement statistics looks pretty fishy, and this is why:

a) 1,126,987 a year means 1126987/(365*8*60^2)=.107 per second, or about 1 every 10 seconds (taken a typical 8-hour work day). This is only for Linux systems , there are more. And it's a human task, you can't automate it, since you have to verify the actual defacement took place, not like the stats done by netcraft, for instance.

So the numbers are most probably exaggerated.

b) even if you know the numbers are accurate, how would you know what system each defaced system runs. Netcraft database could be used, but still, there should still be be unknown ones, since some don't publish their http tokens (or do it partly only) . Both OS and server, yet they have a finely grained stats, where every vendor seems to be represented, pretty strange.

c) and even if b) is right getting to know what exactly was used as an exploit would be even more challenging, you have to verify a CMS, kernel version for each case. In the Windows case it would be easier, since there is much less variations... Unless the victims find out and report you, or the perpetrators do it and you buy their claims.

I can't really buy these numbers, sorry.

0
0
Anonymous Coward

Re: @AC

"I can't really buy these numbers, sorry." - provide some better ones then. Zone-H is well established and respected. There is no evidence that these numbers are unreliable.

0
1
Silver badge
Megaphone

Add EMET3.0 into the mix

It keeps tabs on third party stuff if it tries to act up in a naughty way.

Just shuts the sucker down if it does.

Don't know why MS doesn't roll it out as standard fit really. I'm putting it into all my customer builds and no issues so far.

http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

1
0
Anonymous Coward

Re: Add EMET3.0 into the mix

They probably will do once they are sure it doesn't break too much. It does stop some (badly written) stuff from working...

0
0
Silver badge

Re: Add EMET3.0 into the mix

Well this is it. But if it stops a bit of shareware from 2003 working I don't see the issue. The needs of the many...

As a side note it doesn't work too well with Office 2003 and earlier if you switch on all the configurations for each of the Office apps. So basically they were not written to conform to modern memory security policies.

However, if you load up the All profile for the applications then it configures the correct settings for Office so you don't get any issues.

0
0

I can't remember how many arguments/discussions I've had with people who claim that they don't need Anti-malware controls because they use Chrome so they are safe (most of these people claim to be developers).

My argument that all web browsers are full of vulnerabilities has been proved correct once again.

[Smug Mode engaged]

2
0
Anonymous Coward

Chrome has loads more vulnerabilities than IE.

0
1
Silver badge
Facepalm

90% of Those Were...

... screensavers, clever mouse pointers, kids apps and pron.

0
0

Would Love To Delete Java and Flash

But I can't. At least not Java, Serviio doesn't work without it and using Windows abortion of an attempt at media serving is not something I can be bothered with. Having said that tho, it is easy to configure Java to not be available to browsers. You can do it right from it's own configuration app, so that works for me. Flash can go without any pain whatsoever tho, unfortunately too many official documents (government agencies, HR departments, etc) use PDFs so getting rid of that is not as easy. Sure you can get around it, but that requires work and I always thought that the whole idea of a computer was to make life easier, not more complicated.. oh wait.. I see what I did wrong there..

One final thought..does that mean S.Jobs was actually right about something? *slaps forehead* never thought I'd see the day..

1
0
Silver badge
Windows

Actually exploited vulnerabilities though...

Our research shows 90% of the vulnerabilities exploited to compromise our honeypots are in Microsoft products.

1
1
Silver badge
Windows

Re: Actually exploited vulnerabilities though...

sadly, figures from the department of "made up statistics with zero supporting evidence" don't count for much round here....

Icon because I am and I like it. Well, 7 at any rate. Not 8 though.

0
0
IT Angle

Microsoft insecurity ..

"Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software.

A bug in third-party applications should not lead to a compromise in the underlying Operating System, unless the underlying software Operating System is defective in some fundemental aspect !

2
1
Anonymous Coward

Re: Microsoft insecurity ..

"A bug in third-party applications should not lead to a compromise in the underlying Operating System, unless the underlying software Operating System is defective in some fundemental aspect !" - that must be why so many more Linux servers than Windows one get hacked through holes in 3rd party software then? Linux is 'more defective' than Windows?

0
1

CrAPP policies and practices

Microsoft and it's supporters just cannot seem to get good news about all the security and reliability problems in it's software. This is unfortunate for them (both), but was somewhat predictable by the business/technology strategy taken by the company many years ago when it chose not to start from scratch to create a truly superior Operating System (OS) software, but instead kept patching and making superficial improvements to the same tied, old OS so that billions of dollars in applications investment won't be lost.

This is one time when Microsoft may be reaping the consequences of excessive greed, oppressive (and sometimes illegal) business practices against all others, lack of innovation and weak software technology skills, and laziness.

2
0
Anonymous Coward

Re: CrAPP policies and practices

Microsoft actually had lower security vulnerability counts than competing software (OS-X, Enterprise Linux distributions) every year since 2004!

0
1

Page:

This topic is closed for new posts.

Forums

Biting the hand that feeds IT © 1998–2017