Have we beaten the hackers, at least on one front? The number of discovered and reported software vulnerabilities increased rapidly from 1988 to 2005, peaked in 2006, then started dropping. But they rose again in 2012. A glitch in a real decline? Or a turn for the worse?
Total vulnerabilities per year. Image courtesy: Sourcefire
Dr Yves Younan, senior research engineer with Sourcefire's Vulnerability Research Team (VRT), has analysed the entire CVE and NVD databases and his research, "25 Years of Vulnerabilities: 1988-2012", will be presented at the RSA Conference in San Francisco on Friday.
"What came as a big surprise to us was that the Linux kernel had the most CVEs reported for it for the 25-year period," Younan told CSO Online. "Another surprise here was that even though [Adobe] Flash Player has a bad reputation for security, it's actually not in the top ten for [total] vulnerabilities."
But simple vulnerability counts can give a distorted view. The Linux kernel is considered to be one monolithic project across the entire period, for example, while every version of Windows is a separate project. The total count of vulnerabilities for all Windows versions exceeds Linux. But then Windows is more than just a kernel. Add in all the software included in Linux distributions, and Linux goes back into the doghouse.
Younan counted just the high-severity vulnerabilities, those with a Common Vulnerability Scoring System (CVSS) score of 7 or higher. Windows XP tops that list. "Windows Vista is at the number five position, even though Microsoft put a lot of effort into securing Windows Vista," he said. "The Linux kernel isn't even in the top ten."
Vista was the first version of Windows to benefit from Microsoft's Security Development Lifecycle (SDL), the software development process created after Bill Gates' Trustworthy Computing memo of January 2002. Yet from the vulnerability perspective, Vista looks like little more than a rough draft of Windows 7.
Counting high-severity vulnerabilities alone, Flash Player is back in the top 10, at number five.
The count of high-severity vulnerabilities doesn't exhibit that 2012 uptick, only the steady post-2006 decline. However when looking at just critical vulnerabilities, those with a CVSS of 10, there's no sign of a decline at all.
When it comes to smartphones, Apple's iOS has the majority of vulnerabilities. "iPhone had more vulnerabilities than all the other relatively large players combined — Android, BlackBerry and Windows," Younan said.
"One of Android's advantages is that it's based on Linux, so a lot of vulnerabilities have already been fixed," he said. The predicted Android security nightmare hasn't happened. Yet. "Android [vulnerabilities] will probably rise in the next couple of years as they add more features."
Android does suffer from malware, however. "Those aren't necessarily exploiting vulnerabilities. They're just installed by the user. iPhone doesn't suffer from malware as much because of the closed ecosystem of the App Store."
Apple has also implemented mitigation strategies in the last few iterations of iOS, making it harder for vulnerabilities to be exploited — an echo of Adobe's mitigation approach to its Reader software.
Software vulnerabilities aren't the only factor leading to insecure systems, of course. "A Windows XP that's well-maintained would probably have less of a chance of being hacked than a Linux that's been ignored for a couple of years," Younan said.