back to article Who's riddling Windows PCs with gaping holes? It's your crApps

Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software. That's according to security biz Secunia, which analysed flaws found in the most-used 50 Windows programs - 29 from Microsoft (including its operating system …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Delete Java

    It has no business being installed on a client PC, it's home is a server.

    Java UIs are as ugly as sin, buggy in general (never mind security exploits) and platform specific, bloated monstrosities. The only place to have Java is off on a server somewhere doing heavy lifting for business processing. And even then, there's good argument to not use it as there are other, much more flexible and scalable options.

    1. Anonymous Coward
      Anonymous Coward

      Re: Delete Java

      Yet another, well I don't need it idiot...

      Ok I'll listen to you and delete Java,

      Then put my feet up as I cant do a huge chunk of my job. I'll tell the directors that our multi-million pound contracts can't be supported, but's it ok as I've been told I don't need it.

      1. Grant 5

        Re: Delete Java

        Maybe change that to "If at all possible delete that sh$t" I've not had it installed for years and have never missed it, unfortunately it is still required in places.

      2. Anonymous Coward
        Anonymous Coward

        Re: Delete Java

        You could port it to .Net and ditch all of those security and performance headaches...

        1. Anonymous Coward
          Anonymous Coward

          Re: Use .Net

          >> ditch all of those security and performance headaches.. <<

          and get some new ones....

          1. Anonymous Coward
            Anonymous Coward

            Re: Use .Net

            "and get some new ones...."

            But far fewer of them.

            1. Anonymous Coward
              Anonymous Coward

              Re: Use .Net

              More likely they get patched quicker as Microsoft is on the ball, Oracle don't give a toss.

          2. VaalDonkie

            Re: Use .Net

            Or maybe some of us just want to finish a project before Jesus returns. See, the reason companies choose C# or Java over C++ is that by the time you've finished arguing over the right memory-management policy, we've already prototyped most of the project and are relaxing at the pub. It's a question of productivity.

            1. Anonymous Coward
              WTF?

              Re: Use .Net

              ". See, the reason companies choose C# or Java over C++ is that by the time you've finished arguing over the right memory-management policy, we've already prototyped"

              Ah , the old memory management meme. If you knew anything about C++ you'd know that these days you hardly need to do manual memory management at all if you don't want to if for example you use the STL, Boost or even just plain old stack based automatics for your object creation and destruction. And when you do use a pointer manually its usually to do something faster and quicker than Java can manage.

        2. wikkity

          Re: ditch all of those security and performance headaches

          What security/perfomrance issues? Only java security issues are in applets, a legacy technology that should be avoided where economically possible. If you experience performance issues that is nothing to do with java but the developers.

      3. Anonymous Coward
        Thumb Down

        Re: Delete Java

        "Then put my feet up as I cant do a huge chunk of my job. I'll tell the directors that our multi-million pound contracts can't be supported,"

        If your directors had a brain they wouldn't have any large scale projects written in java in the first place. Its a bloated memory hog and its only promoted by 2nd division developers who find C++ too difficult.

        1. sabroni Silver badge

          Re: 2nd division developers who find C++ too difficult.

          And C++ is just for third rate engineers who can't do assembler properly.

          Choose the right language for the job. C++ is good for some things but if you need your app to be device independent then something that runs on a virtual machine makes much more sense. No language is the best for every job. A first rate engineer would know that....

          1. Anonymous Coward
            Headmaster

            Re: 2nd division developers who find C++ too difficult.

            "And C++ is just for third rate engineers who can't do assembler properly."

            Actually modern x86 assembler is virtually impossible for a human to use properly, not only because there are so MANY instructions now, but because you'll constantly having to be second guessing the pipelining and caching. Leave it to a compiler.

            "Choose the right language for the job. C++ is good for some things but if you need your app to be device independent then something that runs on a virtual machine makes much more sense. "

            C++ with high enough level libraries is portable between systems. And yes, java is device independant, but its not JVM version independant so it simply exchanges one set of portability problems for another.

          2. Mikel
            Happy

            Use the right language

            The Tao gave birth to machine language. Machine language gave birth to the assembler.

            The assembler gave birth to the compiler. Now there are ten thousand languages.

            Each language has its purpose, however humble. Each language expresses the Yin and Yang of software. Each language has its place within the Tao.

            But do not program in COBOL if you can avoid it.

            - The Tau of Programming

        2. Slawek

          Re: Delete Java

          And these second division developers will write their Java code quicker and with less bug than you will with your C++ :-)

    2. BillG
      Happy

      Re: Delete Java

      In the computers I'm responsible for all problems including infections were traced to Java.

      Last November we uninstalled Java on all laptops except those doing Android programming, and on those Java was disabled in all browsers. My God, I haven't had one problem since.

    3. Anonymous Coward
      Anonymous Coward

      Re: Delete Java

      And the other vulnerabilities? If you look at 'Vulnerabilities in the 50 most used programs (including Windows)', Java is in fifth place. Here's the top 10:

      291 - Google Chrome

      257 - Mozilla Firefox

      243 - Apple iTunes

      67 - Adobe Flash Player

      66 - Oracle Java JRE SE

      56 - Adobe Air

      50 - Microsoft Windows 7

      43 - Adobe Reader

      41 - Microsoft Internet Explorer

      29 - Apple Quicktime

      1. Anonymous Coward
        Anonymous Coward

        Re: Delete Java

        I dont know how you can blame user space programs such as Adobe Reader for generating security vulnerabilities in the OS. The OS should be secure enough to not be hijacked by Adobe Reader or a third party app going via Adobe Reader.

        1. Davidoff
          WTF?

          Re: The OS should be secure enough

          "...to not be hijacked by Adobe Reader or a third party app going via Adobe Reader."

          Yeah, right, because application vulnerabilities are no problem on other operating systems like Linux or OS X. Oh wait, they are.

          I guess that all operating systems are fails then.

    4. Anonymous Coward
      Anonymous Coward

      Re: Delete Java

      Unless you're a Java developer or want to play Minecraft or you need it for your online banking.

    5. Andrew Williams
      FAIL

      Re: Delete Java

      And while you're at it delete everything. Everything is bollocks. The only thing left for you to do might be to go dance naked on the M1.

  2. Anonymous Coward
    Anonymous Coward

    Paging Mr Eadon

    Soooo, anything to say? Mmm? We're listening...

    1. Anonymous Coward
      Anonymous Coward

      Re: Paging Mr Eadon

      On previous form, I'd imagine that what he'll say will be along the lines of:

      "Of course, if M$ had written the underlying operating system properly in the first place, these apps wouldn't be able to create a security vulnerability..."

      Then there would be an extended rant about how terrible Microsoft are, he'll probably say that educating children about a user interface he doesn't like (the ribbon) is actually child abuse. Then there will be an obligatory caps lock accusation of "fail".

      1. Boris the Cockroach Silver badge
        Unhappy

        Re: Paging Mr Eadon

        "Of course, if M$ had written the underlying operating system properly in the first place, these apps wouldn't be able to create a security vulnerability..."

        Damn I was just about to wright that too.

    2. TeeCee Gold badge
      Meh

      Re: Paging Mr Eadon

      I doubt you'll get a response.

      He's probably in a coma from the total brain meltdown caused by finding out that his beloved MS swiss cheese security is mostly everyone else's swiss cheese security.

      Either that or the first case of spontaneous human explosion has just occurred under a rock somewhere.

      1. 1Rafayal
        Paris Hilton

        Re: Paging Mr Eadon

        I am not a betting man, but I would lay a fiver on at least one of those AC posts above being from our much tolerated Eadon.

        1. RyokuMas

          Re: Paging Mr Eadon

          Nah, Eadon doesn't post under AC - or so he claims...

          1. 1Rafayal

            Re: Paging Mr Eadon

            "...Nah, Eadon doesn't post under AC - or so he claims..."

            lolololol

            Its either that or his "second" account then ;)

            1. eulampios
              Linux

              Let me try...

              The Danish biz added that sysadmins must not forget to roll out updates for all installed code rather than just Microsoft's and the few "usual suspects from other vendors".

              Sorry... got confused about the point? Doesn't it happen all at once? Your update manager pops up, you click on the button, enter you password and every single piece of software that has an update ready is updated (you could also choose to defer an update for any individual item there). Oops...my bad... I thought they were talking about GNU/Linux systems. No 3d party software, everything is #1.

              1. Anonymous Coward
                Anonymous Coward

                Re: Let me try...

                Well, I did a "yum update" on my netbackup master server and some of our DB2 and Oracle database servers the other day and none of the commercial software was updated, so I'm going to go with: No, it doesn't happen all at once, if you work in the real world.

                We also have problems that we need to keep certain versions of certain bits of software we use at a fixed level, doing a "yum update" (from an Internet hosted repo) would actually take out some key servers due to updates breaking some features we use. Again: In the real world it turns out to be more complicated than updating everything at the same time.

                Linux is great, patching from repos is great, but it's not a panacea, you get some control running your repo locally, but it's not as easy as all that. Likewise, if I setup an MS WSUS server I can update everything from a single operation, assuming I've put all the updates that I want onto the WSUS sever.

                1. eulampios

                  Re: Let me try...

                  You're trying to be a pessimist and an optimist in the same bottle, I see, hence an AC mask.

                  ..DB2 and Oracle database servers the other day and none of the commercial software was updated

                  Wow, what a surprise? Maybe you should be using something like PostgreSQL, MariaDB or similar. Proprietary stuff is a pain in the arse. At the same time, some GNU/Linux distros provide important (or so they say) updates for binary-only proprietary stuff, like flashplayer.

                  if I setup an MS WSUS...

                  So, you yourself have to set this up first (manually,right?) how convenient,. And every Windows user is so delighted to do just that... or not.

                  Anyways, you stay with MS and Windows, I'd rather not, thanks.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Let me try...

                    No, what I'm saying is that Linux has a great update model, but it has some significant problems. Primary would be the lockstepping of installed software to the version of the other packages installed, unless you go to great hassle to make it not so.

                    Suggesting that running PostgreSQL or MariaDB suggests that you don't really know much about databases, even if we could just change from Oracle or DB2 to FOSS databases most of them - good as they are - just aren't up to the standards of the big commercial databases. I notice that you can't cite a FOSS backup server.

                    You obviously don't really know what a WSUS server is, otherwise you would realise that your comment doesn't make sense.

                    Then you suggest that I'm a Windows user, the implication being that I can't also be a linux user. This is tired old crap that gets trotted out again and again by the fanboys. It's possible to know both criticise both and praise both where appropriate. To paint either system as a panacea is just simplistic and tribal.

                    1. eulampios

                      Re: Let me try...

                      Primary would be the lockstepping of installed software to the version of the other packages installed, unless you go to great hassle to make it not so.

                      Not sure, what you mean by that exactly. apt, yum and others have a pretty good dependency logic (especially aptitude). You still can force whatever you want , things can break though this way. No alternative on Windows for that.

                      ...just aren't up to the standards of the big commercial databases.

                      I know enough about databases to discern that this is bullshit. First, even if that was true in 99% of the cases DB2 (and even more so) Oracle databases in industry are used where even sqlite would easily suffice.

                      You obviously don't really know what a WSUS server is...

                      I looked at this guide and imagined how many buttons I would have to press, folders to open, tickmarks to check, uncheck and click to make it do (with all vendors or just a few?) what I could do with one click or command and maybe one edited line in the /etc/apt/sources.list. Interesting to note here, that it only took MS (2011) ... 14 years years to do partially similar to the Debian apt system.

  3. John Smith 19 Gold badge
    Unhappy

    I'm amazed "how to create security holes" is not a part of *every* CS course.

    Because it seems to be one thing developers across the industry manage quite well.

    You've got to wonder, is it them? Is it the pressure to produce something now? Or are the vulns in the libraries their using that are not being fixed?

    1. Anonymous Coward
      Anonymous Coward

      Re: I'm amazed "how to create security holes" is not a part of *every* CS course.

      I'd say it's probably a failure to clean up after themselves.

      You create library v1, then you build on it and make v2, v3 v4 etc etc. By that point you have v5 changing a pointer created in v4 which was to an object created for v3, which was extended from a different object which had been created in v2 which originally came from v1.

      v6 comes around, you need to fix bug A, to do this you change the object from v1, and suddenly the enitre chain is incorrect, you have memory being misallocated etc etc. Your simple fix of changing that long to a uShort has suddenly caused a cascade of bullshit which flows downhill like a mountain of the brown stuff.

      All the while you have a backend structure several tens of thousands of lines long, most of which is supersceded or no longer used, and could probably be replaced with a few hundered lines of code which do the same job faster more securely and are easier to read.

      But because the code 'works' anyway execs will never give the go ahead to improve / rewrite it because they're too stupid to see the porential benefits even when they're stodd in their face slapping them with a trout.

    2. Neil B
      Unhappy

      Re: I'm amazed "how to create security holes" is not a part of *every* CS course.

      Because software development, maintenance, and support in an enterprise environment is subject to a million things out of your control, and f***ing hard.

    3. Ken Hagan Gold badge

      Re: I'm amazed "how to create security holes" is not a part of *every* CS course.

      Cutting corners (and introducing security holes) saves developers (or their employers) money and gets them to market ahead of their competitors. The costs are borne by the customers. The customers can only move to a better supplier if the better supplier hasn't yet been eliminated from the market (owing to their higher development costs).

      Any developer with half a clue can write shit in any language. Bugs have nothing to do with programmers, languages or education. It's all economics.

  4. Andrew Baines Silver badge
    Facepalm

    Surely

    Isn't it the job of the OS to prevent bugs in applications being security holes?

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely

      Like the way Linux prevents all of those exploits in third party apps you mean? Oh, wait.... http://www.youtube.com/watch?v=DhpTdiEKq_0

      1. Anonymous Coward
        Anonymous Coward

        Re: Surely

        See! It's not the OS's job to do this because Linux has problems too! That's not actually an argument, it's the same problem on another OS....

    2. JDX Gold badge

      Re: Surely

      If you want to allow applications to do something useful then they have to be able to do stuff on the system - modify/delete files for instance.

      Of course you could have an OS with different permissions "modify files outside own directory" etc but it won't help because everyone will accept the permissions.

      1. Anonymous Coward
        Anonymous Coward

        Re: Surely

        @JDX - Or you could just setup your filesystem and Registry ACLs correctly and not run with an account that has inappropriate privilege levels - or at least, not bitch about it if you run as administrator and everything goes wrong.

      2. Tom 13

        Re: with different permissions "modify files outside own directory" etc

        Actually, there were some old OSes that did that very well. OS space cleanly segmented from data space so while the data space still needed to be protected, it was nearly impossible to compromise the OS space.

        It's just our current OS matrix that jumbles them together.

        1. Anonymous Coward
          Anonymous Coward

          Re: with different permissions "modify files outside own directory" etc

          @Tom13 - the problem is that it's really the data space that I'm interested in protecting, I don't care about the OS, the worst that could happen is that I spew out spam or someone otherwise steals my bandwidth - if people get my data they could destroy it, they could corrupt it (you'll only notice if you try to use it and you'd better hope you notice before your backups go out of retention) or get personal details that may be stored there.

        2. Jamie Jones Silver badge

          Re: with different permissions "modify files outside own directory" etc

          FreeBSD, you mean?

  5. g.marconi

    9 out of 10 ???

    Surely 21 out of 50 would be 42% not 90%.....or has maths changed so much since I was at school?

    1. Anonymous Coward
      Anonymous Coward

      Re: 9 out of 10 ???

      I think you are confusing #applications with #'vulnerabilities, or has English changed since you were at school?

    2. David Ward 1

      Re: 9 out of 10 ???

      its English you should be worried about, not maths.

      1. Adam 1

        Re: 9 out of 10 ???

        It's "it's"

        1. mmm mmm

          Re: 9 out of 10 ???

          No, it's "It's".

    3. Anonymous Coward
      WTF?

      Re: 9 out of 10 ???

      Given that there are probably 3 or 4 orders of magnitude more 3rd party apps than there are microsofts own efforts I find it rather worrying that MS still - if the report is to be believed - manages to provde 10% of these vulnerabilities.

      1. Anonymous Coward
        Anonymous Coward

        Re: 9 out of 10 ???

        But the 10% was based on 60% of the apps in the list being looked at being from Microsoft....

  6. Anonymous Coward
    Anonymous Coward

    Anti-trust much?

    "The biz collected the figures from anonymised data gathered from system scans by the millions of users of Secunia's patch management software, Personal Software Inspector."

    How is that any different from malware digging through your installed software for future attacks and data slurps, anonymised or not it's still a breach of privacy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Anti-trust much?

      Erm - but this is by choice - and it automatically downloads and patches all of your 3rd party software. I use it - great tool.

      1. Robert Helpmann??
        Childcatcher

        Re: Anti-trust much?

        A slight correction: it will automatically download and patch all the 3rd party software that it has in its db and that you have allowed it to handle automatically. I have run into a few cases where it did not recognize an app. It will also notify you of Windows patches needing to be updated, though it will point you to the MS Update site. It can be configured to prompt for install rather than run automatically. It will not look for or install all updates, only those that have to do with security. Finally, you can exclude an application if you for some reason do not wish it to be scanned for updates.

        This is not to say that there is anything wrong with the application. I have used it for years and plan on continuing to do so. In fact, I appreciate that I have these choices available. I set automatic installs up for my family who live hundreds of miles away (cuts down on unpaid, after hours support calls), but review updates on my own system before installing.

    2. Anonymous Coward
      Anonymous Coward

      Re: Anti-trust much?

      I guess everyone agreed to it when they skipped the Ts&Cs...

      1. Anonymous Coward
        Anonymous Coward

        Re: Anti-trust much?

        I wonder if someone can sneak a "You're obliged once you agree to this ToS to surrender your first born to <company name>", probably google could get away with it.

        1. Anonymous Coward
          Anonymous Coward

          Re: Anti-trust much?

          They could, but they'd be foolish to as it would constitute an illegal contract and (IANAL) I think would invalidate the whole contract.

          1. Tom 13

            Re: an illegal contract and

            Close but not quite.

            It would be an illegal condition of the contract and as such that condition would be struck but usually not the entire contract. In order for the whole contract to be struck the court would have to determine that the removing the condition would make the rest of the terms of the contract unenforceable.

            A more interesting problem is that in order for a contract (and therefore a contract to issue a license) to be issued, some of value must be exchanged between parties. Now while I assume that in the case of updates to MS software the "free" downloads could be considered modifications to the original, but it is an interesting conundrum for other free downloads like Reader, Flash, and Java.

    3. Anonymous Coward
      Anonymous Coward

      Re: Anti-trust much?

      Two things - Anti Trust is not "a company are not trustworthy" as you seem to think, it's preventing companies forming trusts and controlling the market through their dominance.

      Also, the difference between secunia's tool and malware is that with secunia you agree to them scanning your system and using the data.

  7. Anthony Hegedus Silver badge
    Mushroom

    .net?

    .net - isn't that a suite of addon shit that take longer to install than a full OS, has more potential for updates failing than an HP Printer Driver and most people haven't got a clue why it's on their system in about 5 entries in programs&features? And isn't it just basically an API for windows APIs, in other words should have been part of the OS in the first place? Or am I wrong about that too.

    And Java? unless there's a specific application, you just don't need it. So some goofy websites don't work. Better than the whole OS is broken due to a drive-by virus download!

    1. This post has been deleted by its author

      1. Anonymous Coward
        Anonymous Coward

        Re: .net?

        You are wrong about most of that. Since when did you hear of a critical .Net vulnerability being exploited in vast numbers like the Java ones are? Considering .Net is on every Windows PC, it would be a massive target if it was an issue.

        About the only thing that is correct is that it takes a long time to install and to update. There are good design reasons (and fixes) for that: http://support.microsoft.com/kb/2570538

        1. wikkity

          Re: .Net vulnerability being exploited in vast numbers like the Java ones are

          You are comparing the wrong things, a platform against a language. A fairer comparison in respect to the java security issues would be silverlight and applets. Other java platforms/deployment environments are not affected, only applets.

          1. JDX Gold badge

            Re: .Net vulnerability being exploited in vast numbers like the Java ones are

            As a developer, .net (well C#) is bloody lovely.

            1. Daniel B.
              Trollface

              of course C# is lovely

              ... given it's basically pirated Java. It does some stuff better language-wise, but it suffers from being tied to MS platforms.

              1. JDX Gold badge

                Re: of course C# is lovely

                They pirated an open specification? Good one. I suppose D pirated C++ and C++ pirated C?

                C# is way better than Java these days.

    2. chris lively
      FAIL

      Re: .net?

      Yep, you're wrong on just about everything you said.

      First off, there hasn't been many updates and of those I haven't seen any fail. Second, no it doesn't put crap in your programs and features area. It's not just a wrapper on the windows apis, and it has been included since win7. It's also unlikely someone would even know its on their system. Quite frankly I'm pretty sure you don't know what .net is.

      You are right about java though.

  8. A.A.Hamilton

    The numbers are misleading

    Although I buy into one of the central messages of this article (apps. are as much a source of vulnerability as the underlying OS), the numbers are misleading: they refer only to known issues. What the total number is (i.e. including the actual, but as yet unknown, issues) is anybody's guess. And anybody does have a habit of guessing, doesn't he?

  9. BrentRBrian
    Holmes

    crApps

    Don't those same crApps run on Linux too ? I have Java and Flash ... no issues here ... what's the difference ?

    1. Anonymous Coward
      Anonymous Coward

      Re: crApps

      Market share on the desktop. <1% versus 90%. No one bothers to target Linux.

      If you look at OS-X - which has far more security holes than Windows - that only started getting attacks once it hit ~ 5% market share.

      If you look at a market where Linux is actually used like web hosting - it gets successfully attacked far more than any other OS.

      1. JDX Gold badge

        Re: crApps

        Good point about servers... how often do we see Linux servers compromised via vulnerabilities in PHP, Worpress, and other 3rd party applications. In the web world, admins are already aware that keeping those apps updated is super-important.

      2. eulampios

        @AC

        Market share on the desktop. <1% versus 90%. No one bothers to target Linux.

        Change this song, won't you? Why aren't you *blaming* GNU/Linux platform diversification, e.g.?

        As for the "<1%" thing. First, suggest Microsoft and OEMs to stop bundling and imposing their OS to dilute that 90% figure. Also, please reveal the law governing this correlation here? Linear, polynomial, logarithmic or doubly logarithmic? There is still no analogue of stuxnet, Loveletter, conficker that could spread and self-replicate on GNU/Linux on a portion of those millions of affected units?

        If you look at OS-X - which has far more security holes than Windows - that only started getting attacks once it hit ~ 5% market share.

        That's certainly not true. I do hate Apple more than Microsoft, however you can't blame their vulnerability holes for the flashback fiasco (the only one we know). It's Java that was moronically unpatched for 6 months, Apple's retarded managers, not the sheer numbers of vulnerabilities.

        As before, vulnerabilities should be assessed according to their weight and the volume of the sample, the software. In that regard, a remote arb. code execution is many times heavier than a DoS issue requiring a physical presence and a user account, similar to those that were just being patched on Tuesday. Or, look here for instance. Sometimes, one doesn't need to exploit vulns, at all, use some OS "features" instead, like AutoRun, file extensions acting as file permissions, lack of secure repositories etc.

        When you try comparing 42 gig strong of an average full GNU/Linux distro carrying millions of packages (where only several percents are installed, on average) with a few Microsoft products, this is a pretty sloppy Actuarial Math (trust me with a 10/10 result on the 2006 P1 Actuarial exam ) .

        - it gets successfully attacked far more than any other OS.

        And where can I read a reliable source producing this statistics? Thanks.

        1. TheVogon
          Mushroom

          Re: @AC

          Not quite sure what your point is, but the fact is that pretty much no one uses Linux on the desktop regardless of if you agree with the 90% number for Microsoft or not.

          That certainly is true - Secunia shows 1,840 Vulnerabilities for OS-X- Versus about 450 for Windows XP - Microsoft's highest vulnerability OS ever. The studies by Jeff Jones show that Apple OS-X has more critical vulnerabilities than on average take longer to get patched than Windows.

          Jeff Jones also did comparisons with 'package adjusted' Enterprise Linux distributions versus Windows and the same is true - more vulnerabilities with more days at risk on Linux. This has been the case every year since 2004.

          Here are some statistics for you based on public records and 1.5 million incidents: http://www.zone-h.org/news/id/4737

          1. eulampios

            Re: @AC

            It wasn't me that actually downvote your comment, however cannot agree with your claims.

            1) not arguing the numbers, however they might be different.

            2) as far as Apple is concerned, their decision to let exploitable version of Java linger on users machine (when it shouldn't have been there in the first place, even patched) is what Apple managerial position, and proprietary attitude is all about. Yet, it has nothing to do with overwhelming number of "supposed" vulnerabilities, while in the case of MS we can recall stuxnet (and its kins), conficker etc

            3) the defacement statistics looks pretty fishy, and this is why:

            a) 1,126,987 a year means 1126987/(365*8*60^2)=.107 per second, or about 1 every 10 seconds (taken a typical 8-hour work day). This is only for Linux systems , there are more. And it's a human task, you can't automate it, since you have to verify the actual defacement took place, not like the stats done by netcraft, for instance.

            So the numbers are most probably exaggerated.

            b) even if you know the numbers are accurate, how would you know what system each defaced system runs. Netcraft database could be used, but still, there should still be be unknown ones, since some don't publish their http tokens (or do it partly only) . Both OS and server, yet they have a finely grained stats, where every vendor seems to be represented, pretty strange.

            c) and even if b) is right getting to know what exactly was used as an exploit would be even more challenging, you have to verify a CMS, kernel version for each case. In the Windows case it would be easier, since there is much less variations... Unless the victims find out and report you, or the perpetrators do it and you buy their claims.

            I can't really buy these numbers, sorry.

            1. Anonymous Coward
              Anonymous Coward

              Re: @AC

              "I can't really buy these numbers, sorry." - provide some better ones then. Zone-H is well established and respected. There is no evidence that these numbers are unreliable.

        2. TheVogon
          Mushroom

          Re: @AC

          "There is still no analogue of stuxnet, Loveletter, conficker that could spread and self-replicate on GNU/Linux on a portion of those millions of affected units" - there have been a number of previous Linux based worms that self replicated. Just Google 'Linux Worm'

  10. jason 7
    Megaphone

    Add EMET3.0 into the mix

    It keeps tabs on third party stuff if it tries to act up in a naughty way.

    Just shuts the sucker down if it does.

    Don't know why MS doesn't roll it out as standard fit really. I'm putting it into all my customer builds and no issues so far.

    http://blogs.technet.com/b/srd/archive/2012/05/15/introducing-emet-v3.aspx

    1. Anonymous Coward
      Anonymous Coward

      Re: Add EMET3.0 into the mix

      They probably will do once they are sure it doesn't break too much. It does stop some (badly written) stuff from working...

      1. jason 7

        Re: Add EMET3.0 into the mix

        Well this is it. But if it stops a bit of shareware from 2003 working I don't see the issue. The needs of the many...

        As a side note it doesn't work too well with Office 2003 and earlier if you switch on all the configurations for each of the Office apps. So basically they were not written to conform to modern memory security policies.

        However, if you load up the All profile for the applications then it configures the correct settings for Office so you don't get any issues.

  11. RainForestGuppy

    I can't remember how many arguments/discussions I've had with people who claim that they don't need Anti-malware controls because they use Chrome so they are safe (most of these people claim to be developers).

    My argument that all web browsers are full of vulnerabilities has been proved correct once again.

    [Smug Mode engaged]

    1. Anonymous Coward
      Anonymous Coward

      Chrome has loads more vulnerabilities than IE.

  12. ecofeco Silver badge
    Facepalm

    90% of Those Were...

    ... screensavers, clever mouse pointers, kids apps and pron.

  13. Dropper

    Would Love To Delete Java and Flash

    But I can't. At least not Java, Serviio doesn't work without it and using Windows abortion of an attempt at media serving is not something I can be bothered with. Having said that tho, it is easy to configure Java to not be available to browsers. You can do it right from it's own configuration app, so that works for me. Flash can go without any pain whatsoever tho, unfortunately too many official documents (government agencies, HR departments, etc) use PDFs so getting rid of that is not as easy. Sure you can get around it, but that requires work and I always thought that the whole idea of a computer was to make life easier, not more complicated.. oh wait.. I see what I did wrong there..

    One final thought..does that mean S.Jobs was actually right about something? *slaps forehead* never thought I'd see the day..

  14. Mikel
    Windows

    Actually exploited vulnerabilities though...

    Our research shows 90% of the vulnerabilities exploited to compromise our honeypots are in Microsoft products.

    1. Anonymous Coward
      Windows

      Re: Actually exploited vulnerabilities though...

      sadly, figures from the department of "made up statistics with zero supporting evidence" don't count for much round here....

      Icon because I am and I like it. Well, 7 at any rate. Not 8 though.

  15. Anonymous Coward
    IT Angle

    Microsoft insecurity ..

    "Nearly nine out of ten security vulnerabilities in Windows computers last year were the fault of popular third-party applications, as opposed to Microsoft's own software.

    A bug in third-party applications should not lead to a compromise in the underlying Operating System, unless the underlying software Operating System is defective in some fundemental aspect !

    1. Anonymous Coward
      Anonymous Coward

      Re: Microsoft insecurity ..

      "A bug in third-party applications should not lead to a compromise in the underlying Operating System, unless the underlying software Operating System is defective in some fundemental aspect !" - that must be why so many more Linux servers than Windows one get hacked through holes in 3rd party software then? Linux is 'more defective' than Windows?

  16. W. Anderson

    CrAPP policies and practices

    Microsoft and it's supporters just cannot seem to get good news about all the security and reliability problems in it's software. This is unfortunate for them (both), but was somewhat predictable by the business/technology strategy taken by the company many years ago when it chose not to start from scratch to create a truly superior Operating System (OS) software, but instead kept patching and making superficial improvements to the same tied, old OS so that billions of dollars in applications investment won't be lost.

    This is one time when Microsoft may be reaping the consequences of excessive greed, oppressive (and sometimes illegal) business practices against all others, lack of innovation and weak software technology skills, and laziness.

    1. Anonymous Coward
      Anonymous Coward

      Re: CrAPP policies and practices

      Microsoft actually had lower security vulnerability counts than competing software (OS-X, Enterprise Linux distributions) every year since 2004!

This topic is closed for new posts.

Other stories you might like