Forgot your password?
typodupeerror
Microsoft Security Software Windows IT News

Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List 112

Posted by timothy
from the or-maybe-it-goes-without-saying dept.
An anonymous reader writes "Security firm Kaspersky has released its latest IT Threat Evolution report. There were some interesting findings in the report, as always, but the most interesting thing that stuck out was all the way at the bottom: 'Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.'"
This discussion has been archived. No new comments can be posted.

Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List

Comments Filter:
  • by Anonymous Coward

    And in other news MicroSoft purchased security firm Kaspersky for undisclosed billions of dollars in gold...
    [/humor] - just kidding!

  • Surprised? (Score:3, Interesting)

    by Horshu (2754893) on Saturday November 03, 2012 @11:34AM (#41864653)
    Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.
    • Re:Surprised? (Score:5, Insightful)

      by Colonel Korn (1258968) on Saturday November 03, 2012 @11:41AM (#41864695)

      Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.

      Just to reinforce the picture of Java as crapware, it blows my mind that Oracle packages shit like the Ask Toolbar in the regular security updates and you have to uncheck a box in order to prevent its installation. Oracle is a Zynga-level company.

      • by Rinnve (2731289)

        Oracle packages shit like the Ask Toolbar in the regular security updates and you have to uncheck a box in order to prevent its installation.

        What? I'm using Java applications for several years, but I've never ever seen nor Ask Toolbar nor anything else "extra" in JRE security updates.

        • Re:Surprised? (Score:5, Interesting)

          by malakai (136531) on Saturday November 03, 2012 @12:11PM (#41864933) Journal

          They still do it. See here: http://www.java.com/en/download/faq/ask_toolbar.xml [java.com]
          From Java.com:

          The Ask Toolbar is integrated with the Java download. During the installation of Java, users are presented with an option of downloading the Ask Toolbar

          Also, although it's fixed now, for a time, you couldn't direct link to the Win x64 JRE. It forced you through a page, that would check your browser and give you a x32 if your browser was 32bit. I used to have to fire up IE 64 on Server 2008 to grab a JRE to install on my 64bit os.

        • by dissy (172727)

          What? I'm using Java applications for several years, but I've never ever seen nor Ask Toolbar nor anything else "extra" in JRE security updates.

          Then you may want to go back to all those vulnerable systems you deployed which clearly have NEVER had a Java update of any kind installed to them in the past 4 years...

    • I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.

      Oracle has no clue. If anyone reading this works for Oracle, I want you to do the following. Also, If you know someone who works for Oracle. Please forward this to them and ask them kindly to follow the instructions below.

      1) Walk into the office of the person who writes the update system for Java.
      2) Scream at the top of your lungs "AUTOMATICALLY INSTALL UPDAT

      • by Horshu (2754893)
        Adobe's getting the autoupdate part, but they're using it as a crutch for their inability to test code thoroughly before publishing. Auto-updating is great to have and good to use, but when the same product is being updated every few weeks (maybe sooner...I just go by how often Adobe updates whenever I reboot my machine) for years on end, it should tell the product management something.
      • by Jesus_666 (702802)
        Given that the JRE comes with a complimentary browser toolbar that you have to manually uncheck in the installer (for each update) and that Flash can't be installed without closing every browser, I want neither of those components to automatically update itself. Asking me is fine but as long as their update routines want to install crapware (or require manual intervention in the case of Adobe) fully automatic updates don't seem like a particularly good idea.
        • hmm. forgot about the crapware.

          Probably need to add a #5 and #6 to that list with "NO CRAPWARE" as the selling point, although I guess that would go to whoever handles the installer.

      • Re:Surprised? (Score:4, Interesting)

        by Blakey Rat (99501) on Saturday November 03, 2012 @12:49PM (#41865235)

        I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.

        It claims to. I've never seen it actually successfully pull it off.

        Even worse, it only seems to even *check* for updates when I reboot-- so like maybe twice a month, max.

        • by toddestan (632714)

          It claims to. I've never seen it actually successfully pull it off.

          It seems to work on Windows XP if you are an administrator. I don't think that Adobe fully understands UAC yet, despite it being around since Vista launched.

      • by Aphrika (756248) on Saturday November 03, 2012 @03:06PM (#41866467)
        They don't understand that in businesses, you don't run users as admins, which is what the Adobe Updater appears to require for autoupdates.

        What they need to do is bring out a decent admin tool like WSUS for their products which enables centralized administration. Ditto Apple, Firefox, Java and a truckload of other software that would probably have a bigger market share if they just understood that where business is concerned with patching and security; Microsoft 'just gets it'. That's one of the key reasons why IE is the business browser of choice, because patching it is easy and quick, not convoluted and frustrating.

        That said, it is possible to centrally manage Macs, to a degree...
        • Reader's automatic updater works without admin rights on Vista or newer, but requires a background service. Flash Player's works on XP or newer without admin rights, and fires from Windows Task Scheduler just like Google Chrome's.
    • Is it just the windows version of java? What about tomcat and other enterprisey java packages? Do they suffer from the same flaws?

      • by dkf (304284)

        Is it just the windows version of java? What about tomcat and other enterprisey java packages? Do they suffer from the same flaws?

        Not nearly so much. They don't use the same model as java-in-the-browser, and so don't suffer from the same threats. You have to work at it to make tomcat insecure from its Java nature; though you can of course deliberately install insecure webapps in it, that's about as significant as running bad CGI scripts inside Apache: idiots will be idiots and crap programmers will be crap programmers.

        Enterprisey Java programs tend to not run arbitrary code that someone "out there on the web" specifies. In fact, they

    • Not surprising I guess but that means if you avoid flash and Java you are a long way to avoiding problems (outside of the normal AV and update activities). Both are really hard to avoid in the modern world though. I wonder when does Oracle start getting a bad rep for security out of this? Will customers start wondering about dropping $100k on a db server from the same company that got there phone hacked with a 3 month old bug?

  • by jarich (733129) on Saturday November 03, 2012 @11:37AM (#41864675) Homepage Journal
    Looks like MS is being dethroned. Between Apple, Oracle, and Adobe it's not looking good.
    • It is becoming less relevant. Still it is bad that Microsoft does not disclose the source code of its applications. That means thousands of unfixed security vulnerabilities that otherwise would be found.
      • by Anonymous Coward

        So you are assuming that all those OSS apps out there are perfect just because you can get the source code??

        Please! 99.9% of users can't fix a simple buffer overflow crashing their apps, never mind obscure stuff. Just because there is code available, does not make it more secure! Aside from the main projects, you end up with 1 or 2 part time devs, not hundreds of devs. Code quality is all over the place.

        Just look at the code quality in Debian archive. It is all over the place! Some of it is excellent. Most

      • It is becoming less relevant.

        A small correction, but the end user focused software my MS is becomming less relevant. That's where most of the bugs always were, and that's exactly what people are not using anymore. Server software is also getting less relevant, but it doesn't matter on this context. Kernel and libraries are as relevant as they always were (ok, a tiny bit less).

        What is gaining relevance now is the crapware that people must install because Windows does nothing out of the box.

  • by Anonymous Coward

    Many of the entries appear to be for identical things

    • by Anonymous Coward

      Anytime a vulnerability occurs on a multi-platform application it shows up on all of the platforms. The only time this doesn't happen is if the application/library has multiple sources - then it depends on the distribution.

      The Java problems are most likely in the runtime that was open sourced - but still in use by both sources of the runtime.

  • Fluff. (Score:3, Informative)

    by bmo (77928) on Saturday November 03, 2012 @11:53AM (#41864785)

    This article is nothing but Softie cheerleading without any meat. You have to go to the report itself for any real facts.

    Indeed, this paragraph explains *why* Java exploits are common in the wild.

    Java vulnerabilities were exploited in more than 50% of all attacks. According to Oracle, different versions of this virtual machine are installed on more than 1.1 billion computers. Importantly, updates for this software are installed on demand rather than automatically, increasing the lifetime of vulnerabilities. In addition, Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities. Naturally, most detections are triggered by various exploit packs.

    In other words, if you do auto-updates of java and stuff like it, you are far less vulnerable. I don't think Windows even has a facility to do this, one must roll one's own for each package.

    Keeping up to date with Oracle Java on Debian style systems:

    http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html [webupd8.org]

    --
    BMO

    • auto-updates of java (Score:5, Informative)

      by Tim Ward (514198) on Saturday November 03, 2012 @12:13PM (#41864947) Homepage

      But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

      Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

      • by Carcass666 (539381) on Saturday November 03, 2012 @12:33PM (#41865089)

        But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.

        Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.

        This. For those running eBusiness Suite and also have to use sites with applets, companies are caught between the rock of having to update Java to keep your browsers happy and the hard place of incompatibility of applications with newer versions of Java. Yes, you can load multiple versions of Java, but keeping things automatically updated, and keeping each application/browser using the correct JVM? Ouch. The recent issues over the past few months with poorly executed changes in the security model (broken applets that leverage AJAX), Apple's insistence (now abandoned) on distributing its own, outdated Java, and the mediocre UI stack make Java on the desktop a nightmare. I love my glassfish servers, but Java needs to be abandoned on the desktop. I think most people have given up on "write once, run anywhere", they would settle for "write once, run consistently". The Java brand suffers because of the desktop nonsense, which is a shame because it is so powerful and useful on servers.

      • by jbengt (874751) on Saturday November 03, 2012 @01:10PM (#41865385)

        #Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured . .

        Exactly. I do work for a client that uses Primavera - which we have to access thru a browser for all records and communication on their construction projects. A recent update to their installation required us to install a very particular Java version that is not at all up-to-date or secure, fuck whatever else we might need Java for. The kicker is that both Java and Primvera are Oracle products.

      • by mrmeval (662166)

        ADP payroll systems is forcing the use of an ancient version of java and they refuse to fix their broken app.

        http://www.adp.com/ [adp.com]

        Example there are plenty more.
        http://ww2.valdosta.edu/helpdesk/news/042611a.shtml [valdosta.edu]

        Some payroll system.

      • by Bigbutt (65939)

        Yep. I have some Dell blade chassis that require a very very specific version of Java. The next iteration of Java after that fails to start the console for access to the blades. I installed VirtualBox with Windows XP and the specific version of Java (something like 1.4.14 where 1.4.15 fails) so I can continue to manage the Dell chassis. Fortunately we're in the process of replacing them with newer equipment so I can flush the XP VM.

        [John]

  • Windows is still very insecure. After all it has that whole list of software exposing it to danger.
  • The article is about the most common vulnerabilities on "pc's with kaspersky software installed": it is not about most secure software. This report just says that many people, who use kaspersky, do not keep updated their java and flash. Secunia rates the unpatched vulnerabilities of Windows 7 as highly critical [secunia.com]. It's just that big companies (the most likely customers of kaspersky) don't use W7 as much as Java.
  • Cracking and Virus writing has NEVER been about the number of systems like the MS fanbois love to claim. It has always been about what is easier to attack. At this time, all of the other systems need to focus on security as well. Regardless, this reminds me of the bear joke:
    bear coming in the back of a tent, and one guy putting on shoes. Other screaming that they have to outrun the bear, and asks first guy why putting on shoes. He says that he does NOT have to outrun the bear. He simply has to outrun the o
    • by Gordo_1 (256312)

      Cracking and Virus writing has NEVER been about the number of systems like the MS fanbois love to claim. It has always been about what is easier to attack.

      Um, it's about both. Cracking and virus writing these days is mostly about making money. When your primary goal is to make money, you go for the low hanging fruit: Easy to find exploits that exist on as many systems as possible = biggest bang for your cracking/virus writing buck.

      • by cbhacking (979169)

        Actually, even the low-hanging fruit isn't enough. Malware is an illegal business; engaging in it has risks. Hypothetically, if I could write the code for an OS X botnet worm at no cost (say, an evening of my own time), and earn $10 for each Mac infected, or spend $500000 (say, a government project) developing something equivalent for Windows, the Windows option is by far the better one even though OS X is the low-hanging fruit. Once you've managed to infect 50k more Windows boxes than OS X ones - which wil

  • All the good attacks are at facebook etc. b

  • MS products do not have top vulnerabilities, but they are still top targets: most malwares are still designed for Windows. It is just that the attackers reach the target by different vulnerabilities. It is therefore still true that using Windows poses a risk.
  • by dgharmon (2564621) on Sunday November 04, 2012 @05:11AM (#41871123) Homepage
    "Microsoft products no longer feature among the Top 10 products with vulnerabilities"

    "Kaspersky Lab is a Microsoft Gold Certified Security Solutions Partner and is currently working on several joint projects with Microsoft". link [kaspersky.com]

Machines that have broken down will work perfectly when the repairman arrives.

Working...