Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List

An anonymous reader writes "Security firm Kaspersky has released its latest IT Threat Evolution report. There were some interesting findings in the report, as always, but the most interesting thing that stuck out was all the way at the bottom: 'Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.'"

Surprised?

[Horshu]

Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.

Apple Shows Up Twice?

[jarich]

Looks like MS is being dethroned. Between Apple, Oracle, and Adobe it's not looking good.

Re:Surprised?

[malakai]

They still do it. See here: http://www.java.com/en/download/faq/ask_toolbar.xml [java.com]
From Java.com:

The Ask Toolbar is integrated with the Java download. During the installation of Java, users are presented with an option of downloading the Ask Toolbar

Also, although it's fixed now, for a time, you couldn't direct link to the Win x64 JRE. It forced you through a page, that would check your browser and give you a x32 if your browser was 32bit. I used to have to fire up IE 64 on Server 2008 to grab a JRE to install on my 64bit os.

Re:Windows is no longer relevant

[Sir_Sri]

This is one of those things that will be hard to judge.

First off, there are more android installs than iOS, and a lot of them are older versions which aren't getting updates etc. I see what google et.al. are doing but that market fragmentation will eventually be a security nightmare.

Secondly, MS moves something like 250 million copies of windows a year, and yes, turnover is going down, but that means there are still a billion windows PC's in the wild. The smartphone market has much higher turnover, in part because of carrier subsidies and the noticeable performance improvements still happening, and in part because cell phones are just much more likely to physically fail than a desktop, so I would be surprised if there are 300 million iOS devices in the wild at all. Officially they've sold 400 million iOS devices (http://news.cnet.com/8301-13579_3-57511323-37/apple-by-the-numbers-84m-ipads-400m-ios-devices-350m-ipods-sold/) through june, but a LOT of those are replacements for older iOS devices at this point (it would be a bit like MS talking about how many copies of windows it has sold since 2007 versus how many are actually in use).

Lastly, a lot of mobile devices may have vulnerabilities than can be exploited but that don't put users at risk because users don't behave in a way that exposes them to much risk. If you aren't regularly grabbing new apps, or trying to click links in e-mails or the like, well, you're not a power user but you're not at a great deal of risk either. The only person on an island doesn't really gain much by locking their door sort of thing. And we all know hackers are after things worth money. Desktops are worth money, banking information is worth money, (and banking is becoming more popular on smartphones to be sure), pictures of naked women are worth money (and those are certainly on phones....), but it's hard to know if hackers, especially serious ones, are going to refocus on desktops, because now if you have a desktop you're probably a serious productivity person, which means you have something worth stealing.

Re:Windows is no longer relevant

[ILongForDarkness]

Well to be fair for the the majority of /. readers we aren't in the cheap desktop market. For one reason or another we'll find a way to drop 2k+ on our laptops and desktops. We're devs, or gamers, or video processing nerds, or guys that measure their worth by their massive stash of pirated material and seed ratio etc. Either way we seem to all want some combination of SSD, big disk capacity, massive monitor, top of the line CPU, etc. Apple gear might not be great value but they don't target the low end of the market and we generally aren't there anyways.

Re:Surprised?

[Blakey Rat]

I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.

It claims to. I've never seen it actually successfully pull it off.

Even worse, it only seems to even *check* for updates when I reboot-- so like maybe twice a month, max.

No, they're not getting it...

[Aphrika]

They don't understand that in businesses, you don't run users as admins, which is what the Adobe Updater appears to require for autoupdates.

What they need to do is bring out a decent admin tool like WSUS for their products which enables centralized administration. Ditto Apple, Firefox, Java and a truckload of other software that would probably have a bigger market share if they just understood that where business is concerned with patching and security; Microsoft 'just gets it'. That's one of the key reasons why IE is the business browser of choice, because patching it is easy and quick, not convoluted and frustrating.

That said, it is possible to centrally manage Macs, to a degree...