by Abbas Mirza Dec 26, 2011 2:30 am
Google, Microsoft and Apple are constantly engaged in a struggle for industry dominance, competing in software as well as hardware ranging from computers, smart phones and multimedia devices. Meanwhile, the three companies have a common culprit that poses a present and future threat to the enterprise and consumer markets.
On the security front, it’s shocking to learn that Google and Apple have surpassed Microsoft in software related security risks. The real battle is with the security threats.
Although their business model is distinctive, they are constantly targeted and exploited by the same threats and vulnerabilities as any software dependent vendor.
Today, Google still leads the Internet search; Microsoft still owns operating systems and Apple has revolutionized the smart phone and entertainment industry with its iPhone and iPod devices. Which one is best positioned to handle security threats?
Many people assume that Microsoft always tops the list when it comes to security risks and software vulnerabilities. G7 Security recently conducted data analysis of discovered software vulnerabilities and found that in reality, the outcome was discrepant. If anyone has attempted the same, they would notice that it is an arduous task to get the details on actual attacks. Most agencies do not want to reveal the extent of sensitive security vulnerabilities. In addition, private companies, especially financial institutions, do not want to reveal that their systems have been compromised. G7 selected technology industry in private sector for vendor criteria and have employed NVD as a source for dynamic analysis of Medium to High published flaws. Software defects impairing security of Microsoft, Google and Apple. In addition, Oracle was also included as it is not only the relational database leader but also a vendor of choice by nearly all major companies.
Surprising Statistics Behind the Analysis
As one of the world’s largest and most technologically advanced nations, the United States has the most bandwidth running through. That means virtually all consumers and businesses are exposed to threats. Microsoft powers majority of the computers in the U.S. with its windows operating system. This makes it more prone to threats and attacks by the hackers. The astounding numbers (Figure 1) show that contrary to popular believe that Microsoft products contain the highest reported software flaws, in reality it is not even close to Google. This is mostly because of Google Chrome, which competes with Microsoft’s Internet Explorer in the Browser.
Following G7 Graph shows Year-End Software Vulnerabilities Discovered in 2011 (Figure 1)
- Vulnerability Criteria: Software Flaws (CVE)
- Vulnerability Published Date Range: Jan. 2011 – Dec. 2011
Severity ranking is based on the Common Vulnerability Scoring System (CVSS) standards which provides an open framework for communicating the characteristics and impacts of IT vulnerabilities. Its quantitative model ensures repeatable accurate measurement while enabling users to see the underlying vulnerability characteristics that were used to generate the scores. In particular, Version 2 Metrics were used (Table 1)
CVSS Version 2 Metrics (Table 1)
|Access Vector||Network/Adjacent Local Network/Local Access Only|
Based on NVD data, Statistics on vulnerabilities shows that Microsoft software flaws has declined in 2011 to 262 number or (6.40%) of vulnerabilities discovered from 326 (7.03%) in end of the year 2010 while Google vulnerabilities have more than doubled from 222 (4.79%) in 2010 to 498 (12.16%) in year-end 2011 approximately.
Google surprisingly tops the list mainly because of the number of issues reported for Google Chrome. Like Microsoft, Apple discoveries were reduced from 452 (9.74%) in 2010 to 340 or (8.30%) percent in 2011. While Oracle followed Google and increased, but not by as much totaling at 229 (4.94%) in 2010 to 274 (6.69%) in 2011 for medium to high ranking published vulnerabilities.
Microsoft’s products that were affected by the reported issues were Microsoft Windows XP/Server, Publisher, Office 2007, IE 6 through 9 and Office 2008 for Mac among others.
Apple’s lists contained Mac OS X, Apple iTunes, Apple QuickTime, Apple Safari and Apple IOS which powers devices such as iPhone, iPod and iPad. Both Apple Safari and Google Chrome browsers incorporate Webkit framework.
Oracle was impacted by unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE. This also impacted other companies that employ JRE within their product lines. Other affected areas included Oracle Solaris 10 and 11 Express, Oracle Solaris 8, 9, 10, and 11 Express, Oracle Sun Products Suite among others.
Good news is that the overall total number of discovered treats has been declining since 2009. G7 Security validated this security trend to the total matches by year statistics that was queried based on NVD data matching with all characteristics included.
Looking ahead, expect Microsoft to stay the course in reducing and more effectively responding to threats while others thrive in achieving the same as their user base grows.
Anzar Hasan. CISA, C|EH
Certified Expert in various security disciplines and practices such as Ethical Hacking from a vendor-neutral perspective.
Security Matrix and Statistics are based on information gathered from U.S. government repository of standards based vulnerability management data in NVD.
NVD is sponsored by DHS and is a product of the NIST Computer Security Division, Information Technology Laboratory and is sponsored by the Department of Homeland Security’s National Cyber Security Division.
About G7 Security
G7 provides awareness and security resources in the form of News Feeds, US-CERT Security Alerts, Podcasts, and Videos among many other information security activities and tools for web and mobile devices.
(Search for “G7 Security” on App Store and Android Market for your devices). Twitter @iSecurity