Forgot your password?
typodupeerror
Security

5,198 Software Flaws Found in 2005 257

Posted by Zonk
from the better-to-find-them-than-not dept.
An anonymous reader writes "Security researchers uncovered nearly 5,200 software vulnerabilities in 2005, almost 40 percent more than the number discovered in 2004, according to Washingtonpost.com. From the article: 'According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems.'"
This discussion has been archived. No new comments can be posted.

5,198 Software Flaws Found in 2005

Comments Filter:
  • Axe Grinding (Score:5, Informative)

    by alanw (1822) * <alan@wylie.me.uk> on Saturday December 31, 2005 @09:32AM (#14370036) Homepage
    Brian Krebs is clearly either extremely stupid, or has an axe to grind. If you look at the Cert Cyber Security Bulletin 2005 Summary [us-cert.gov], you can see that many of the lines in it end in "(Updated)" A simple count of lines gives the results that Brian quotes, however there are far more "(Updated)" entries in the Unix/ Linux Operating Systems section. Removing these lines gives the following results:
    including excluding
    "(Updated)" "(Updated)"
    Windows 813 671
    U/L 2328 891
    Multiple 2057 1512

    (sorry about the spacing - can't find any way of doing it)

    greatly reducing the proportion of Unix/Linux vulnerabilities

    • Re:Axe Grinding (Score:5, Insightful)

      by ginotech (816751) on Saturday December 31, 2005 @09:36AM (#14370049)
      That is messed up. You're right, simply updating a vulnerability doesn't make it a new one. You know why Linux and co. have more updated ones, though? Because people can actually see the bugs in the code!
      • Re:Axe Grinding (Score:5, Interesting)

        by click2005 (921437) on Saturday December 31, 2005 @09:49AM (#14370088)
        Where is the mention of seriousness of the flaws? How many allow root access or something else serious/critical instead of "clicking this button makes the tool tab disappear" or something.

        They also fail to mention that a lot of these flaws are not in the OS itself (or essential components) but in 3rd party software.

        A lot of the software isnt even included in a standard installation.
        • Unfair (Score:4, Insightful)

          by Kaelthun (940330) on Saturday December 31, 2005 @12:09PM (#14370515) Homepage
          "The ignorant define themselves" why is there even a discussion going on about the essence of the word "flaw"? Fact is that this research has not been fair because all Linux distro's, UNIX variants (such as BSD) and Mac are counted as one, and MS Windows as another. You cannot compare the multitude of Linux distro's to the one-man platform of MS Windows. If there would have been a tally between, say, Redhat, Ubuntu, FreeBSD, NetBSD, OpenBSD, Mac OS (I dunno what version it is in atm) and MS Windows, and all stats would have been listed seperately ... that would have been fair and clear. Now it's just a mash of all these stats with just one simple query on it SELECT bugs FROM stats WHERE os = Windows. THey just mashed the rest together and called it "the rest".
          • Re:Unfair (Score:5, Insightful)

            by ComputerizedYoga (466024) on Saturday December 31, 2005 @01:38PM (#14370898) Homepage
            thing is, all of those distros use the same software base. Redhat, Ubuntu, *BSD, they're all host to apache, samba, bind, openssh, php, gcc ... they're all essentially the same, once you get past package management, the kernel and the c libraries.

            If you want to count "OS" flaws, you need to remove ALL the third-party apps. That means in linux, you'd JUST be counting the flaws in the kernel and glibc, and in BSD only the core system as well. And those aren't even going to be distro-specific.

            While you're right that it's probably not fair to shove os-x vulns in with the unix/linux category (os-x is its own unique animal and has a lot of things that no other *nix has) I think it is fair to mash together the F/OSS nixes. Or at least to mash together their non-os-specific parts.

            Of course, these comparisons are inherently unfair, if they're used as a metric for "which OS is more secure". That's become something of a moot point. No matter how someone calculates their metrics, someone or another is going to be displeased with their methodology. What's more interesting, and more to the point, is the sheer number of vulns found across the board, and that's the whole point of the story.
    • Re:Axe Grinding (Score:4, Interesting)

      by someone300 (891284) on Saturday December 31, 2005 @09:43AM (#14370070)
      Also, isn't this more of a survey of the security flaws of the software running on the operating systems, rather than the operating systems themselves anyway? The summary linked article seems to imply that it's an OS flaw.

      7-Zip isn't an OS vulnerability, nor is 4d web star.

      Couldn't this be tilted against linux/unix/whatever due to the larger amount of crappy server/networking software available for it?
    • Re:Axe Grinding (Score:2, Informative)

      by camcorder (759720)
      Also from security perspective I would like to know ratio of remote vulnerabilities on these platforms and how much of them DoS vulnerabilities and more critical compromise vulnerabilites.

      It's correct that a DoS vulnerability might be actually more critical as it was thought (as in recent IE bug). I think numbers as such very deceptive. From an user perspective I can say this year brought me lots of stupid worm mails which mostly targeted from Windows platforms.
    • Re:Axe Grinding (Score:5, Informative)

      by jc42 (318812) on Saturday December 31, 2005 @10:28AM (#14370168) Homepage Journal
      Hey, you missed the even bigger method of increasing the unix/linux score: counting each distro separately.

      Thus, if you go to distrowatch.com, you find 100 distros for linux alone. So for most actual kernel bugs, you can count each one at least 100 times. And for apps that run on all unix releases, the multiplier can be a lot higher.

      Of course, there are several distros of Windows, too. But not nearly as many, and the people adding up the bug counts somehow always seem to miss this trick with Windows.

      Anyone else got a favorite way of producing misleading bug scores?
      • Re:Axe Grinding (Score:3, Insightful)

        by cbiltcliffe (186293)
        Anyone else got a favorite way of producing misleading bug scores?
        Not so much a misleading bug score, but misleading about bugs nonetheless:

        "All the bad guys know about all the bugs in Linux, because they can see the code. But only Microsoft knows about bugs in Windows, and they fix them before anybody finds out."

        Paraphrased, of course, but pretty much what every Microsoftie analyst says on a daily basis.
      • Anyone else got a favorite way of producing misleading bug scores?

        Just the tried and true one...

        Let Zonk 'write' the story

    • Re:Axe Grinding (Score:3, Insightful)

      by pintomp3 (882811)
      TFA keeps talking about vulnerabilities and flaws interchangabily. a flaw doesn't mean a vulnerability. although i believe updates should be included in the tally, the tally is trivial. few of the unix/linux flaws make your computer vulnerable compared to the windows ones. that is more a design issue though.
    • I looked at the "updates" and it looked like the same thing was updated more then once. Does this mean that the "updates" where for the same problem and the previous update for the problem didn't work? Or created new problems? Can anyone clarify?

      for example:
      Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      Apache 'Mod_SSL SSLVerifyClient' Restriction Bypass (Updated)
      Apache
    • Well, I found my own way to interpret this "mash-up" data.

      Take the total # of flaws of the Linux distros; 2,328.
      The number of distros including Mac -- by pulling a guess out of my hat; 12
      Since, we can assume that most UNIX distros are similiar, and we'll be kind by saying the Mac has the same number of flaws, Just divide the total by the platforms and you get... 194.

      And, since we can assume this is an "independent analyst" paid for by Microsoft -- we can safely assume that they buried vulnerabilities from I
  • by Ckwop (707653) * <Simon.Johnson@gmail.com> on Saturday December 31, 2005 @09:34AM (#14370041) Homepage

    There's two ways to look at this. I would say that it is quite unlikely that the quality of software with respect to security went down in 2005. Computer Security now has such high profile that software houses across the world are spending many dollars trying to provide better security.

    If you accept that security quality has not gone down, then you must conclude our ability to detect vulnerabilites is getting better. This is universally a good thing. Every vulnerability the "good guys" find before the "bad guys" is one we can have fix for before the bad guys take over our system.

    Then there's the other side of these figures. That's alot of vulnerabilities. Now, fair enough not all vulnerabilities are created equally but I'd bet at least 10% are serious enough to get your system taken over if you're not careful. That's a lot of ways to break in to my system and it's a lot of work to make sure you're not vulnerable.

    We have such a long way to go. For example, in PHP if they'd just follow Microsoft's example and put a SQL injection and XSS attack filter on information passed to web-pages we could close a serious hole in many web-applications. I've not looked at Ruby on Rails but I bet it fails this test too.

    For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C. Not now, not after 20 thousand hours of training, not ever. Sure, it's possible to write secure C in theory but the difference between theory and practice is that in theory they're the same and in practice they are not. In practice, you have deadlines, in practice you have people on the team who have less security training than others, in practice you have developers who have just had children and don't get a lot of sleep. In practice, people make mistakes. Code reviews may help but they wont remove everything. If you write your software in C you're doomed to having silly security bugs. If you want to remove most of the worry about overflows, use a language that rules them out.

    Another thing, why should code we execute on our computers run at the maxmium privellege set of the user who's running it? Suppose my program checks a HTTP page against an MD5 hash periodically and sends an SMS through an internet based SMS gateway. Why should that program, if it wants to, be allowed to access the disk? I don't know about Java but C# has got a set of attributes that can control this type of behaviour. Really, we should be forcing declarations at the language level about what permissions each method of the program needs - the default being none of course.

    Simon.

    • by canuck57 (662392) on Saturday December 31, 2005 @10:37AM (#14370186)

      For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C.

      I beg to differ, C can be real secure if written that way. The problem comes in that most people do not know how C works inside yet they code something. Then of course to your next point:

      Code reviews may help but they wont remove everything.

      This would solve alot of issues. How many environments routinely run bounds checking and code reviews for functionality AND security? How many people who really understand C reviewed the code?

      And security problems are not just C problems, any language like Java, .NET, PHP, C# can also have their issues. CERT and others concentraight on the operating systems that we all use but generally skirt applications security which can be very bad. Job schedulers written in Java that allow root access, data warehouses that give up encoded (but not encrypted) UIDs/passwords ovr the net, the list is long. And how many people use unencrypted telnet/ftp/imap/pop3 even though secure options exist? I know senior NT and UNIX admins that don't know what a key pair is let alone what a certificate chain is. But they have a half dozen certifications.

      But secure code begins with it's priority, in design and takes more time to code no mater what language you use. Having knowledgable coders helps alot. But we are in a day and age where we only want cheap coders. And here is a hint, cheap coders are never good coders or they would not be cheap. There in is the issue, more time is something people do not want to do either in training, coding or review.

      • I've never seen "concentrate" spelled quite like that. +2 points for originality.
      • by Decaff (42676)
        And security problems are not just C problems, any language like Java, .NET, PHP, C# can also have their issues.

        Apart from the fact that .NET isn't a language, I would be interested to know what issues you think Java and C# have. Almost all the problems with C (and almost all problems with security) are due to bounds checking. Java and C# have automatic built-in bounds checking.

        PHP can have issues because it is interpreted, and so you can get code injection. Java and C# aren't interpreted.
    • Privileges for a given piece of code should be set by me and enforced by the OS. Otherwise it's just letting the wolf guard the henhouse.
    • I suggest a new, totally secure and bug-free programming paradigm. Example:

      void main()
      {
          SuperSecureFunction();
          TotallyNotBuggyFunction();
          ImmaculatelyConceivedOperation();
      }

      I call it Intelligent Design programming. You just have to link to the right libraries.
      • void main()

        Stop right there. Far from being "bug free", you've just committed one of the best-known sins of C. In C, main is required to return an int. As-is, this has undefined behavior, so nothing (at all) can be predicted about the security (or lack thereof) in the rest of your code.

        The first step toward writing really good code is avoiding the most obvious textbook examples of bad code.

  • Language choice? (Score:2, Informative)

    by Anonymous Coward
    I would like to see some data showing the correlation between applications written in unmanaged languages and those with buffer overflow and similar exploits.

    Modern unmanaged C++ is fine (STL containers instead of arrays, RAII, etc.), but I often wonder why people still write in C at all, particularly when it comes to Open Source software. We are not the bearded heroes of the 70s - it's time to write in a modern language. If you don't want to sacrifice speed and system level programming for a managed enviro
    • by penguin-collective (932038) on Saturday December 31, 2005 @10:27AM (#14370164)
      Modern unmanaged C++ is fine (STL containers instead of arrays, RAII, etc.),

      Modern unmanaged C++ is NOT fine; STL permits many kinds of bugs that are analogous to buffer overflows. Furthermore, modern software systems are composed of many different modules, and just because you happen to be careful in your modules doesn't mean others are careful in theirs. Finally, without full garbage collection, you cannot have full runtime safety.

      but I often wonder why people still write in C at all, particularly when it comes to Open Source software.

      People prefer C to C++ because for the small increase in safety that C++ gives, it's far too complicated and complex a language. People don't use languages other than C/C++ because those languages interoperate poorly with existing C/C++-based libraries (this is C/C++'s fault), tend to have bloated runtimes, and have only a tiny user community. And, yes, many people don't even realize that there is a problem.

      We are not the bearded heroes of the 70s - it's time to write in a modern language.

      The bearded heroes of the 70s actually knew better. Back in the 1970's and 1980's, C was of no significance. When people were using HLLs back then, those languages were generally a lot safer than C. The rise of C was a historical accident, related to the rise of BSD UNIX and microcomputers.

      But, yes, I share your sentiment: it would be good to see security bugs by language choice. And I'll give you this much: C++ is an improvement over C, but it's not a solution.
      • Modern unmanaged C++ is NOT fine; STL permits many kinds of bugs that are analogous to buffer overflows.

        Huh? Granted there are some silly design decisions in the C++ standard library, like making the unchecked indexing use operator[] and the safer, checked version use at() on a std::vector. Still, it's much harder to get things like overruns using the STL, where much code is iterator-based, and harder still to do it in a way that won't be obvious to any remotely competent code reviewer (who will ask why

        • by Decaff (42676)
          At the end of the day, GC is a useful tool for many programming jobs, but it's only a tool, not a silver bullet. It's no substitute for a good programmer who knows what he's doing.

          You write well on this matter, but I think the evidence really is to the contrary. Hundreds of millions (if not more) lines of code have now been written in languages that use garbage collection. Some of these languages are high-performance and some are used for real-time work, and they all work fine.

          Garbage collection is now ro
        • At the end of the day, GC is a useful tool for many programming jobs, but it's only a tool, not a silver bullet. It's no substitute for a good programmer who knows what he's doing.

          Perhaps your problem is that you don't understand what a "safe language" is. A safe language is a language that makes guarantees about type errors, error detection, and fault isolation. A language with dynamic memory allocation needs to have a GC in order to be safe. A safe language does not make guarantees about security or pa
    • Really simple, actually: C requires less planning, is easier to learn, and is more likely to be guaranteed cross-platform. If you're writing a simple command-line utility for your own use, it's either C or shell scripting.
      • Perl, Python, Ruby...
        • Re:Language choice? (Score:3, Informative)

          by aaronl (43811)
          And here is the problem with that:

          PERL - not installed on some UNIXes
          Python - not installed on most UNIXes
          Ruby - not installed on any UNIXes

          If your app won't run in the default environment of your target platform, you create a lot more work to change the environment. Or you could write the app in a way so that it *will* run in the default environment, which means using C or shell. Usually, PERL will work, but there are several places that it isn't installed by default, even today.
          • I agree with you, sir. And if you're trying to make an extremely small tool, such as a real-time or critical security tool, relying on the local Perl installation is like using a car's headlight as a flashlight: it's the wrong tool for the job.

            The incompatibility of C++ compilers, and Java compilers, also leads me not to use them if at all avoidable. Plain old gcc-compilable C works robustly across a wide variety of platforms in a way those tools never will.
    • by jc42 (318812) on Saturday December 31, 2005 @10:46AM (#14370212) Homepage Journal
      I often wonder why people still write in C at all, ...

      Well, my last big project was written almost entirely in C for the simple reason that that's what the client wanted. We did a lot of prototyping in perl and python, but that code wasn't acceptable for delivery; we had to rewrite all the production code in C. If not, it wouldn't be accepted.

      Much of the explanation was that the client had accepted C++ and java in earlier projects, and they were disasters for all the familiar reasons. They were determined that this wouldn't happen again, so they went with a "proven" language with a track record of use in major successful systems.

      Similarly, I have a couple of friends who recently did a project in Cobol. They hated it, but they wanted to get paid, and that's what the client would accept.

      In the Real World[TM], the decision about which language to use is very often made by managers who aren't programmers and don't have a clue about the real issues. So they make decisions based on things that they can understand and measure.
      • In the Real World[TM], the decision about which language to use is very often made by managers who aren't programmers and don't have a clue about the real issues.
        No. The decision is made be a manager who needs to balance the business issues of long-term supportability and cost within the current infrastructure against other technical benefits. That decision is not as simple as, say, vi versus Emacs, much less C versus Java versus C# versus Python.
  • OSOS (Score:4, Funny)

    by Konster (252488) on Saturday December 31, 2005 @09:38AM (#14370053)
    812 flaws in the Windows operating system? When did they start counting flaws? December 28th?
  • by dynamo52 (890601) on Saturday December 31, 2005 @09:41AM (#14370060)
    Firefox: 1
    Explorer: 45
    Explorer wins!
  • by corvair2k1 (658439) on Saturday December 31, 2005 @09:41AM (#14370063)
    I've released more than that by myself this year!
  • shocking numbers (Score:5, Interesting)

    by CDPatten (907182) on Saturday December 31, 2005 @09:54AM (#14370099) Homepage
    "researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "

    If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.

    "I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue. "

    MS always has an attached KB article that details everything their path does. I don't think that statement is denial.

    I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.
    • If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances?

      No, it doesn't. First of all, there are a dozen different versions of UNIX and Linux, each with their own set of flaws. MacOS is an almost entirely different system except for a kernel compatibility module and a bunch of command line utilities. Second, the number of bugs discovered or number of
    • I'd like to see the numbers for basic core aplications.

      For example, on the windows side, problems with the OS and core packages. Things like notepad, control panel, wordpad, etc, and on the linux side, you'd have to do some averaging: Linux 2.4 v 2.6, KDE v. Gnome core apps. Meanwhile a comparison between Openoffice and Office would be in order. It's been a while sice the last good study of how one works next to the other in their 'naitive' environments.
      • I'd like to see OS versus OS. For linux you count kernel flaws (everything else is user space and can be swapped out with other apps). For windows you count flaws in the software that remains after you remove everything you can through proper channels (uninstall, not simply delete).
    • by lasindi (770329) on Saturday December 31, 2005 @10:50AM (#14370221) Homepage
      "researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "

      If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.


      If you look at the first post [slashdot.org], you'll see that the real count of vulnerabilities isn't so shocking after all:

      Windows 671
      UNIX/Linux 891
      Multiple 1512


      Also, when you consider the fact that "UNIX/Linux" includes many different operating systems (e.g., GNU/Linux, *BSD, OS X, etc.), you can't give any one Unix operating system the blame. Remember that although some code is shared between projects, GNU/Linux and the *BSD are more or less completely different code bases. In any case, the simple counts of vulnerabilities don't take into account the severity of each, so the real winner is even more ambiguous.

      I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.

      While Brian Krebs might be tainted by his misrepresentation (see the post I got the numbers from), I can't imagine anyone here claiming that US-CERT is somehow a bunch of MS zealots. In fairness to Microsoft, they've definitely come a long way with SP2, and I don't feel nearly as vulnerable when using an SP2 machine as I did with previous Windows versions (though the recent WMF hole makes me a bit more worried). without considering the severity of each vulnerability. But they're still no where near the point where I would switch from Linux.
      • Well, the numbers are shocking, when I went to secunia, and compared windows XP (with all the crap that comes with it) and just the Linux kernel 2.6.

        Linux kernel itself(no other programs) : 33 advisories
        Windows XP(including IIS, libraries, .net etc): 45 advisories

        Obviously a simple count of vulnerabilities is a real stupid way to compare things, but i would not claim linux is any more secure than windows or the other way around. You are better of using what OS you know better, and secure better. But MS need
    • Windows is one OS with 800 bugs, unix/linux/os-x/bsd is a whole collection from a whole slew of different companies.

      Only a MS-tool would not instantly spot this. Others have already pointed this out but of course they are just Unix and OS-X and BSD and Linux hippies. Oh and wich OS makes it unsafe to simple browse the web right now? Thank you. Bill Gates called, he is about to take a dump and needs you to swallow it all.

      All this article shows is how easily statistics can be used to tell a complete lie.

    • by Liam Slider (908600)

      "researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "

      If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered

    • Unfortunately, the raw numbers are misleading. Many of the Windows bugs are fundamental to the way they do things: auto-opening and auto-executing downloads is amazingly stupid, and the particular vulnerability used after that point is irrelevant, but those are the defaults for all Microsoft distributions.

      Second, the Linux/Mac/UNIX holes tend to be very small: they require a clever programmer to detect the vulnerability, they require skill to exploit, they often require the user to do something additionally
  • by master_p (608214) on Saturday December 31, 2005 @10:12AM (#14370141)
    Ok, I've made a 'hello world' program in C++...I had 0 bugs in it, do I win?

    Seriously now, these numbers are useless without mentioning lines of code and programming languages. Suse Linux 9.3, for example, has over 7,000 RPMs, which is an enormous amount of software.

    Absolute bug numbers are meaningless.
    • There are lies, damn lies and statistics.

      This is why absolute numbers are meaningful.

      This isn't necessarily directed at your statement (because you're asking for more hard numbers in the form of programming languages and lines of code) but it's worth saying.

      Yes, we can weight the various bugs to make the comparison more 'accurate', but the second we begin doing that, we've injected someone's opinion of what is and isn't important.

      Admittedly, you could extend the superficial analysis the author did without h
    • It's also meaningless because it unfairly groups Apple in with Linux/Unix. Solaris might have its share of bugs, and linux surely has exploits more often than we'd like, but if you browse through the Apple vulnerabilites, you'd see that most of them are blatent, stupid oversights that people should be fired for. I wouldn't be suprised if Apple has the majority in the unix/linux group - commonalities aside.

      Apple needs to get someone who knows a thing about security, because the false belief "its unix its sec
    • Ok, I've made a 'hello world' program in C++...I had 0 bugs in it, do I win?

      Well that all rather depends on your compiler, doesn't it?

  • by bogie (31020) on Saturday December 31, 2005 @10:22AM (#14370156) Journal
    Because I know I just woke up but that CERT page is listing APPLICATIONS FLAWS and NOT OS flaws.

    Is a flaw in "Gold FTP explorer" or Photoshop a Windows OS flaw?

    Am I the only one seeing this?
    • Shh! Most of the people here don't understand the difference between an OS and an "app". Many of them will even tell you with a straight face that a runtime library is part of the OS. (Really; look through the /. archive. ;-)

      So let's keep quiet on the sidelines, and let the all make fools of themselves in public.

      • *sighs* I know. It frustrates me to no end that Operating System is being redefined.
        It has been changed from the layer of software that operates the hardware and provides the lowest level api for accessing it (kernel, and kernel api); to the layer of software that interacts with the user.
        • When all your software comes from the same company it's hard to tell the difference sometimes.

          My computer doesn't work.
          What OS are you running?
          Microsoft Office.
          You mean Windows.
          Yeah, I think I have Windows. But I'm running Office.
      • Well, for the purposes of security, if the runtime library is distributed with the OS then it should be counted as part of the OS. So installed-on-every-copy-of-windows-because-every-p rogram-needs-to-use-me.dll is counted as part of the OS but funky-library-for-doing-bad-stuff-from-Claria.dll isn't.
    • Someone on blogs.washingtonpost.com has a lazy mind.

      I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue.
      ...
      ...so attackers are looking at developing more exploits for applications that run on top of Windows and interact directly with the user (and are freely allowed in an

  • This artical summery gives the allusioon that "bugs" and volnerabilities are the same thing. GThey are not, bugs can lead to volnerability, but so do "features" in some cases.

    What exactlu do tehy call bugs, one mans "bug" is another mans feature. If a function or dialog in open office for example doesn't have the same capability as MS office, or different capability than the Office equivalent, is that a "Bug" or a feature? depends who you ask...

  • Be taken out of the libraries and such? Why is it so hard to remove such vulnerabilites when I've read that there are replacements for weak or exploitable code?
  • There are a lot of flaws that are countined multiple times in that count. For example, If a flaw is reported, and then 3 updates giving more details are reported, it is counted as 4 flaws in those counts. Here are the counts after a rough attempt at eliminating this overcounting:

    • windows: 681
    • unix: 1044
    • multiple: 1508
  • by Tablizer (95088) on Saturday December 31, 2005 @02:28PM (#14371088) Homepage Journal
    The problem is obviously humans. If we kill the humans the problems wouldn't happen.
  • Will somebody please remove this guy from having the ability to post stories to slashdot? Yes, I already have his stories blocked, and I wonder how many others are doing the same.

    The stories are always slanted FAR away from the reality of what was said, and many times are flat out LIES! I first thought it could have been a mistake, but time has shown that this editor does not represent the community in ANY way whatsoever! This is pathetic! Im not going to waste time digging through all the previous example

  • ...how many of the UNIX/Linux vulnerabilities were found (and then subsequently patched) because someone simply found a buffer overflow or the like in a code review.

    How many code reviews find and fix bugs for which no exploit exists in the wild for *ix?

    How many patched fixed bugs for which there was no exploit in the wild for Windows?
  • My company's Bugzilla database shows 5580 bugs opened in 2005. So I guess if bugs marked as duplicate and invalid are removed, our software accounted for almost all 5,198 software flaws of 2005.

    So... what's the secret you guys are hiding from us?

Good salesmen and good repairmen will never go hungry. -- R.E. Schenk

Working...