Firefox, Adobe top buggiest-software list

[DKT27]

Firefox, Adobe top buggiest-software list

Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe software more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.

Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.

Meanwhile, Adobe took the second-place spot from Microsoft this year. The number of vulnerabilities in Adobe programs rose from 14 last year to 45 this year, while those in Microsoft software dropped from 44 to 41, according to Qualys. Internet Explorer, Windows Media Player and Microsoft Office together had 30 vulnerabilities.

A shift in focus

The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.

"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."

Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.

That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.

As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.

Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application whitelisting technology.

The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.

Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.

The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.

Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.

Source - CNET

[Night Owl]

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes.

Exactly. How many vulnerabilities are companies like Microsoft and Adobe hiding from us?

F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Foxit Reader and Foxit Phantom here we come! :)

Bit9 noted that Microsoft Internet Explorer was given an "honorable mention" because of a zero-day vulnerability related to ActiveX that went unpatched for three weeks in July.

I think that should have been dishonorable mention. :D

In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe finally fixed Reader and Acrobat two months after exploits were found in the wild? :huh: I'm sticking with Foxit Phantom on Windows 7 and I'm going to uninstall Adobe Acrobat Pro on my Windows XP machine and install Foxit Phantom.

[Bizarre™]

A lot of people are still using IE... they don't know what their missing :rolleyes:

[DKT27]

I think that should have been dishonorable mention.

:rofl:

@Biz: True.

Even when FF bein buggy as this article says, they fix it really fast. ;)

[i-con]

I think they made it incompatible to FF, therefore the lists of "bugs" manifested.

That's how business works. Destroying each other without them noticing. Lol.

[bashar]

i hope they do fix it soon

have a rough time using FF these days

especially beta's

humans do mistakes , but the best recover fast

[DKT27]

Well many people would remember that I had a problem with FF hanging my PC when I closed it. I forgot to mention that the problem was solved. It was my mistake. I had set the priority of firefox above normal in my task manager. The time I turned it into normal. My problem was solved. ;)

[Bizarre™]

@DKT27:

You should just use Process Lasso :lol:

[DKT27]

Yea I tried it. But was itself hogging my PC. :lol: . Really.

[Bizarre™]

@DKT27:

Maybe you messed with the settings :lol:

[DKT27]

Nah. Nothin. Nope. Never. I had kept it runnin and my PC was slow. Then I found out that it was the one that made it slow. It must be great. But it's too advance for my PC. :lol:

[demonon]

Firefox is open-source, so it's natural allot of vulnerabilities are discovered and patched.

Most closed source software in the other hand, are less safe if you look at them this way.