Get this blog as an RSS Feed

Secunia Security Factsheets for Q1 2011

15:02 CET, 1st April 2011 By Stefan Frei.

Secunia Security Factsheets present important security information of a given product in one consistent and standardised document. The factsheets go well beyond simple vulnerability counts by analysing the type and number of vulnerabilities, paired with information about the software vendors’ ability to roll out security patches. The information is based on Secunia’s Vulnerability Intelligence database and analysis of Secunia Research.

We introduced and released the first series of Secunia Security Factsheets in Q3 2010. Today we have released the factsheets for Q1 2011.

Q1 2011 Highlights

For the first time we have data for a full 12-month period for Windows 7, which was publicly released in October 2009. Looking at the factsheets of Windows XP, Windows Vista, and Windows 7, it is evident that the age of the version correlates with the number of vulnerabilities. The more recent the version of the Microsoft operating system; the lower the number of vulnerabilities it had in the last 12 months. As is common for these versions of the operating system; “System Access”, “Denial of Service”, and “Privilege Escalation” were the three most prevalent impact causes of the Secunia Advisories. The “Privilege Escalation” type of vulnerability allows the attacker to gain elevated privileges, thereby nullifying the protection sought in restrictive user permissions on the end-point.

Our factsheets also cover the five Web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari, and Opera. We found a wide range of trends in year-on-year (YoY) vulnerability numbers amid those browsers ranging from -37% up to +167%. Furthermore, we also observed that the total number of vulnerabilities in a Web browser did not correlate with the browser’s market share in the last 12 months. As with operating systems, “System Access” was the most prevalent impact class over the last year for all Web browsers. This shows the relevance and high risk of vulnerabilities to users and end-point compromise.

For both, Adobe Reader and Adobe Flash – two of the most prevalent programs to be found on any end-point – we still observe an upward trend in vulnerabilities in a year-on-year (YoY) comparison. The Secunia Advisories covering these two products were almost exclusively rated as either “Extremely” or “Highly critical”. This emphasises the importance of rapid patching of third-party programs on end-points to remediate the risk.

I hope the quarterly Secunia Security Factsheets contribute to raising awareness about the evolution of vulnerability threats, support you in your work, and help with spotting new trends early.

The factsheets are available here.

Stay Secure,

Stefan Frei
Research Analyst Director

Discuss this blog entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.

Subject: Secunia Security Factsheets for Q1 2011

User Message
Phelina RE: Secunia Security Factsheets for Q1 2011
Member 2nd Apr, 2011 04:56
Score: 0
Posts: 2
User Since: 19th Jun 2010
System Score: N/A
Location: US
Last edited on 2nd Apr, 2011 04:56
First, I'd like to say that Adobe needs to get their act together and do it right for once. I know of no other program that need so many updates so often and they're so sloppy about it, they don't even throw in an uninstall of the previous version, yet it is "recommended". Well, if it's recommended then why don't they include it all in one fell swoop.

And then thereís Microsoft! I was supposed to update a program called Microsoft Visual C++ 2005 redistributable. I understand it's apparently needed to make other programs work. Fine. So I go to the Microsoft website and they give me about 5 choices with a little note that says, download the one that fits your systems! Well that's just great! I have no clue which one fits my system. Donít you think it would be helpful if they were just a little more specific? Well, the first one didnít work so I downloaded another one. So far, Iíve downloaded the same two or three every day for the past three days but Iím still getting messages telling me the program is insecure and I need an update. I give up. I'm tired of trying to find someone who thinks they know the solution and trust what they tell me to do.

There's just way too much time spent on updates, downloads, vulnerabilities and security crap. All the vulnerabilities and viruses have to coming from the people who sell the antivirus products. How else would they know when a virus is about to be spread. What exactly are their sources for virus information? What could they possible update on a daily basis? What is it that is vulnerable today that wasnít vulnerable yesterday?? Do they get an AP wire every morning that says, ďOK, hereís the bug for today, and it's a doozy . . . Ē, just so theyíll know what gap needs to be filled. Man! If you donít update that thing for a week or two, you are in big freaking trouble!! Sounds to me like a big game being played among the folks who are selling the products that are supposed to be protecting our precious hard drives from certain doom.

I don't know anything about a computer and have no desire to. If I bought a car that required as much maintenance and techy know-how that a computer does, I'd take it back and demand satisfaction, as I have about as much desire to become an auto mechanic as I do a computer techy. Life is just too busy to spend hour after hour, reading through forum after forum and then through a lot of guesswork and/or trial by error trying to get the machine to work the way it's supposed to. Can you imagine going out to your car in the morning only to find it isn't working and you have to figure out what needs to be done and get it fixed so you can get to work? Or how about getting updates installed every week - or every day? Kind of like stopping for gas every day! Frustration would set in very quickly!

And just when you think it's fixed and all is well, same thing next week! Updates and service packs MUST be installed immediately or else you'll be vulnerable to all kinds of nasty things -- people stealing your identity, finding out where you shop and what you buy, destroying all the information that you've spent years accumulating and saving and making your life a living hell. And then thereís always the ďnew and improvedĒ upgrade. Now we need IE version 9. What was wrong with 7? Guess things can only take just so many patches before itís nothing but one great big band-aid!

One of the biggest annoyances is when you get a pop up that says something to the effect of "Go talk to your administrator". What they really mean is, ďGet somebody who knows what they're doing.Ē Well, unfortunately, when I bought this thing, I also took on the title of administrator - like it or not, I'm it! No one else here with more knowlege than I, so what now my friend - any other suggestions?

My point is - why is all this nonsense necessary Surely there are enough techies out there to figure out how to get this concept down pat. All most people want is their own little box to surf, read email, do some letters, take care of business, play some games, listen to tunes, burn some CDs or create some cool graphics. But when they sit down with those intentions in mind, they often find that they're going to be sitting in front of that screen a whole lot longer than they planned to, and may never actually get to do whatever it was they intended to do in the first place.

Personally, I have one computer in the house - no need for networking options, home networks, group policies or 7 other users. I don't play games so that's another bundle I could do without. I have no intention or desire to build a website so I could do very well without all the web building stuff. And let's see, do I really need both 32 bits AND 64 bits. Well, I couldn't tell you. Maybe I do and maybe I don't, but nowhere have I seen anything that tells me precisely what the difference is between them. The only difference I can see is that now I have to download double updates from adobe!!! As if one a week weren't enough!! But did I have a choice? No. Am I totally missing it, or is their a reason why we can't have choices when we buy a computer. Iím sure I could investigate and find out more about the bits, but I didnít buy this thing to learn about how it operates, and I really donít care. I just want it to work, to have access to my documents without sudden lockups and to be free from constant updates and downloads.

Well, that's my 2 cents worth - I'm sure there are a lot things I left out, but I guess you get the point. A computer has become a necessary evil and like it or not, we're stuck with it, warts and all. Maggie, what have we done??
Was this reply relevant?
taffy078 RE: Secunia Security Factsheets for Q1 2011
Contributor 2nd Apr, 2011 08:28
Score: 408
Posts: 1,355
User Since: 26th Feb 2009
System Score: 100%
Location: UK
hear, hear!

I bet that many here - the majority? - will read your post and agree. As you rightly say, you don't have to know what every component of a car does to be able to drive and enjoy it. Why should PCs be any different?

I can't think of any other area of retailing/manufacturing where a business would get away with treating customers this way.

And thank you, Secunia, for such an interesting factsheet. :0)

taffy078, West Yorkshire, UK

Desktop: Compaq Presario (OEM) 32 bit / AMD Athlon / 2 GB RAM
XP Home - SP3/ IE8/ Norton IS - Secunia PSI v2.0.0.3003

Laptop: Win 7 / IE11 / PSI v2.0.0.3003
Was this reply relevant?

You must be logged in to post a comment.