- Buffer overflows remain as one of the top ranking vulnerabilities year over year
- Microsoft has improved significantly within the last couple of years and their browser and mobile operating systems are actually better than their competitors’ in terms of vulnerabilities discovered.
Sourcefire, Inc. (Nasdaq: FIRE), a leader in intelligent cybersecurity solutions, today unveiled its latest research statistic findings on IT security vulnerabilities that span from 1988-2012 in a report released to the market, in a bid for businesses to better protect their assets. The research was conducted based on two well-respected data sources, Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD), both of which are international vulnerability identification entities, in the evaluation of over 54,000 vulnerabilities for over the last 25 years. Key Finding #1: iPhone has the Highest Vulnerabilities The popular Apple iPhone has the most vulnerability reported at 210; while Google Android logs in at 24, Windows Mobile at 14 and BlackBerry at 11. It’s interesting to note though, that Apple has had significant CVE growth year-over-year and their OS has implemented more security features in subsequent iterations. One may argue that the increase in CVEs is due to the increased popularity of the phone over the years. However, Android, the current market leader for mobile phone operating systems, has actually received fewer CVEs in 2012 than it did in 2011, even though it had explosive growth in market share that same year.
Key Finding #2: Top 10 vendors reported with highest volume of vulnerabilities
The 10 worst offenders (from top down) were Microsoft, Apple, Oracle, IBM, Sun (acquired by Oracle), Cisco, Mozilla, Linux, HP, and Adobe. These top 10 vendors accounted for 14,162 vulnerabilities or almost 27 per cent of the total number of vulnerabilities (Source: NVD’s data).
The interesting thing to note is that when only “critical vulnerabilities” are considered, Oracle came in as the worst offender taking the 1st spot, followed by HP and IBM. Apple and Microsoft had more overall vulnerabilities, but fewer critical vulnerabilities.
Key Finding #3: Microsoft Windows XP and the Mozilla Firefox browser stand out as the two with the largest number of high-severity vulnerabilities
For high severity vulnerabilities, the top 10 offenders (from top down) are Microsoft Window XP, Firefox, Chrome, Windows, Internet Explorer, Seamonkey, Window Vista, Window 2003 Server, Thunderbird and lastly Mac OS X. Surprisingly, Flash Player is not amongst the top 10.
A key insight here is that the most popular Internet browsers (Firefox, Chrome, Internet Explorer and Safari) which make up a total of 90 per cent of the browser market share are listed in this top 10 list.
Key Finding 4: “Buffer Overflow” is the TOP vulnerability
“Buffer overflows” take the top spot with 7809 reported over the last 25 years.
In 2008 and 2009, SQL injection was the top type of vulnerability, only to be displaced by XSS and buffer overflows in 2010. In 2011, buffer overflows took the top spot again, while in access control issues reigned supreme in 2012.
The rest of the other severe vulnerabilities reported in the research include “Code Injection”, “Input Validations” and “OS Command Injection” amongst others.
Yves Younan, Senior Research Engineer of Sourcefire Vulnerability Research Team (VRT™) shared, “With 25 years of vulnerability data now available, this report takes a historical look at vulnerabilities over the years and some of the results are surprising.”
He concludes by listing the following as the key highlights worth noting: