
Not one Microsoft product on Kaspersky’s top 10 vulnerabilities list - tarekayna
http://thenextweb.com/microsoft/2012/11/02/microsofts-security-team-is-killing-it-not-one-product-on-kasperskys-top-10-vulnerabilities-list/?utm_campaign=social%20media&utm_medium=share%20button&utm_content=Microsofts%20security%20team%20is%20killing%20it:%20Not%20one%20product%20on%20Kasperskys%20top%2010%20vulnerabilities%20list&awesm=tnw.to_lLo7&utm_source=Twitter
======
sriramk
This is the result of nearly a decade of work from MSFT, across the board.
They built better tools, drilled security into every new hire all the way to
the execs, made it a part of every engineering and product process imaginable.
Happy that is finally being acknowledged on the outside.

~~~
lumberjack
What can we trace this security priority initiative of Microsoft back to?

~~~
mcphilip
Jan 15, 2002 email from Bill Gates to all MSFT staff [1]. Includes some real
gems, like;

>So now, when we face a choice between adding features and resolving security
issues, we need to choose security. Our products should emphasize security
right out of the box, and we must constantly refine and improve that security
as threats evolve.

1.<http://www.wired.com/techbiz/media/news/2002/01/49826>

~~~
ChuckMcM
I was hugely impressed by Bill when I read that memo, I checked with my
friends who worked there to see if it was 'real' or a PR stunt, and they
universally agreed it was very very real.

I suspect Google is about to be tested in this way given the adoption of
Android on mobile devices. It is fortunate that they have a strong security
culture to begin with but nothing proves that like being battle tested.

~~~
elorant
Google isn't the first company that would come to my mind. I'd rather go for
Apple. Their mobile ecosystem might be a lot more secure than Android's, but
the way they acknowledge OSX vulnerabilities and how soon they fix them is a
weak spot.

Oracle with Java could also get a lot of heat.

~~~
wisty
Apple regularly loses security shootouts, and is widely derided by security
people. Their only advantages are their niche status (which they are losing)
and their lack of consideration towards old apps (they can dump old APIs which
are hard to secure, and make other backwards-incompatible fixes, because they
just don't care that much about backwards compatibility).

~~~
cgh
This is a rather biased view. Maybe check that top ten list again.

~~~
sesqu
The one that Apple holds two positions in for arbitrary code execution
vulnerabilities?

------
boyter
I usually get shouted down when I say this but Microsoft's focus on secure
code over the last 10 years has paid off. Not only is the OS too hard a target
hence the increase in Java, adobe product exploits, but their software running
on their OS has fallen in line too.

I know the saying many eyes make bugs shallow, but so does billions of dollars
and years of concentrated effort. Kudos to Microsoft for getting their act
together.

~~~
Legion
> I know the saying many eyes make bugs shallow, but so does billions of
> dollars and years of concentrated effort.

The saying holds. Billions of dollars buys many eyes.

~~~
jcheng
That's not really how secure coding works at Microsoft though. There aren't
more eyes on the code, just more developer training and more processes in
place. (At least that was my experience working there from 2006 to 2009.)

~~~
tptacek
There are more eyes on the code too, though: virtually everything Microsoft
ships gets a 3rd party review.

~~~
dllthomas
... that still isn't "many eyes" on any particular piece of code, in the sense
of the saying, though.

~~~
tptacek
Just because Eric S. Raymond says that's how security bugs should be found
doesn't mean that's how security bugs are actually found.

~~~
dllthomas
And that is an interesting point; and it is specifically the point the G*P was
making, which was obscured by saying, "Oh, but there are still multiple eyes
here."

------
nostromo
Interesting to note that both Apple vulnerabilities listed exist only for
their Windows software. (QuickTime: [http://lists.apple.com/archives/security-
announce/2012/May/m...](http://lists.apple.com/archives/security-
announce/2012/May/msg00005.html) iTunes: <http://support.apple.com/kb/HT5485>)

I wonder if these are lower priority for Apple or if they perhaps just aren't
as good when developing for Windows.

~~~
gilgoomesh
Quicktime on Windows is stuck at version 7, which is riddled with numerous
problems. It's this old Quicktime codebase that is the source of the Quicktime
and iTunes vulnerabilities on Windows.

The current version on Mac and iOS is Quicktime X. This version was a complete
rewrite (that started on iOS and eventually migrated to the Mac). The complete
rewrite allowed for a vastly more secure design (among other improvements).

~~~
shinratdr
But the iTunes backend is still QuickTime 7 on both Mac OS X and Windows.
QuickTime is really only present on Windows machines nowadays as the backend
of iTunes.

------
ajross
It's actually this bit from farther down that surprised me the most:

> _56 percent of exploits blocked in Q3 use Java vulnerabilities._

So much for the idea of a managed language runtime being inherently more
secure...

~~~
MichaelGG
The runtime isn't written in a managed language, and that's where most of the
vulnerabilities happen, right? The holes aren't in application code, but in
_running arbitrary code_, which the JVM fails to do safely.

The surface area exposed is larger, because you're allowing the browser to
download and run arbitrary programs, something you don't do with unmanaged
languages very much.

Edit: Also, just consider how much worse it'd be if Java apps were re-written
in a language that allows buffer overflows. Enterprises already cannot get
security right; even generating SQL queries results in problems. No way would
those teams deal with yet another layer of security issues. Hell, I've dealt
with commercial teams writing in C++ thinking a buffer overflow has "something
to do with network rate limiting."

~~~
0x0
_> "The runtime isn't written in a managed language, and that's where most of
the vulnerabilities happen, right?"_

At least some of those Java vulnerabilities are logic errors in the
sandboxing/securitymanager parts that are supposed to prevent applets from
accessing privileged APIs, and those checks are usually implemented inside the
actual java.* standard library classes, in the Java language.

------
Someone
Reading
[http://www.securelist.com/en/analysis/204792250/IT_Threat_Ev...](http://www.securelist.com/en/analysis/204792250/IT_Threat_Evolution_Q3_2012),
I find it surprising that the Netherlands manages to be the best malware
exporter in the world (third in 'production', close behind Russia and the USA
(both with a much larger population), but also in the top 10 for 'least
consumption', a list that neither Russia nor the USA made).

Does anybody have any idea how that comes about? The only reason I can think
of is that Amsterdam is a huge node in the Internet backbone
(<http://en.wikipedia.org/wiki/Amsterdam_Internet_Exchange>). Malware authors
might want to host their stuff close to such nodes, so that they can
distribute their wares efficiently.

~~~
budgi3
Amsterdam is a criminal epicenter

~~~
dr_doom
Any further links or reading? I am very interested in this subject.

~~~
yread
Just look at the number of banks and high frequency trading shops :D

------
UnoriginalGuy
If you're running Chrome please for the love of all that is holy enable Click-
To-Play for all plugins. With it disabled it is like running without a pop-up
blocker.

You can do so in Settings -> Advanced Settings -> Content Settings -> Plug-Ins
-> Click To Play.

When you visit a site which has a plug-in you'll get a UI control similar to
the pop-up blocker which allows you to add it to the exceptions list and or to
allow it just this one time. You should add YouTube to the exceptions list.

~~~
nickbaum
Or better yet, switch YouTube to the HTML5 player:

<http://www.youtube.com/html5>

One less site that needs Flash.

~~~
padraigm
Every time I join the YouTube HTML5 trial it gets silently turned off and
videos start playing in Flash again a week or two later. Does that happen to
anyone else?

~~~
nextstep
Yes! I have turned that on many times and I always end up watching flash
videos again. I wonder if it had to do with my session cookie expiring. Does
anyone know how they toggle this experiment on/off for different users?

~~~
moreati
I'm in the beta, I've never had to rejoin. Possibly because I'm logged into my
Google account, which is linked to my Youtube account. Note that some Youtube
videos are still delivered as Flash, I believe is whenever adverts are shown.

------
romland
And to think that a free (as in it didn't cost me a cent unless I want to pay
for it) piece of software protected me from most of this. The phenomenon known
as NoScript is quite marvelous in doing its job without eating much of my CPU
cycles :-)

Of course, when you get down to the bottom line you know it's not a huge
technical feat, but really, neither is anti-virus software. It's a matter of
foresight and hard work. Donate today :)

(Disclaimer, I am in no way connected with NoScript other than being a happy
user)

Edit: After posting this I realize it comes across as a bit of advertising and
not contributing much to the conversation, I was about to delete it, but I
stopped myself and wanted to add: I am -truly- happy not having to (even
though I do) worry about what links I can click.

------
pooriaazimi
Haha. Great to see iTunes and QuickTime (Windows versions, probably?) on the
list... Apple should really either update them _(I'm not sure iTunes 11 will
be released for windows too)_ , or just abandon them (and ask customers to use
iCloud for backup). A few days ago I opened a .mov on a Windows machine with
QuickTime - it was horrible. I can't imagine how dreadful iTunes probably is.
No wonder all PC guys hate iTunes...

~~~
robomartin
I hate iTunes on every platform. It's bloated; it tries to do too many things
and it does them all wrong. Just as an example, searching for anything with
iTunes is a horrible experience, particularly when compared with searching the
'net with any of the top search engines. Book, app and media management are
terrible. Cross-computer management of the same is terrible. Backing-up your
iPhone, if you are not careful, can result in erasing every single app from
your phone and replacing them with what happens to be on the new machine's
iTunes. Take a music database that Windows Media deals with without any issues
whatsoever (devoid of metadata other than folders with the album name and
files with the song names). Import it into iTunes and watch it get mangled.
Albums get destroyed, songs end-up categorized in weird ways, etc.

~~~
moepstar
I hate iTunes too for all of the reasons mentioned above, however there's one
thing it does at least half-ok'ish:

It doesn't eat a ton of CPU while playing a few simple MP3s...

I've tried using Clementine (an Amarok-fork, my favourite music-player by far,
at least on Linux) but it's just a resource-hog - comparatively at least.

So yeah - does anyone have suggestions on what to use for music playback?
Something that doesn't suck? Something that doesn't waste precious CPU-cycles
without reason, generating heat and wasting battery on the go?

~~~
dsirijus
I've been using <http://www.foobar2000.org/> for almost 10 years now. Though
most of my music now is in the cloud, I always keep a heavily modded version
of fb2k on my PC.

This is BY FAR the best audio player available.

I had some respect for Amarok when I was on KDE 6-7 years ago. Nowhere close
to fb2k though. Nowadays on Linux I prefer just plain old mpd.

~~~
epa
> Heavily modded version

That's the problem i found with foobar. I always enjoyed WinAmp and still miss
it to this day on mac. Itunes is no comparison.

~~~
scholia
But there is a Mac version of WinAMP (tho I've nver used it)
<http://www.winamp.com/mac>

------
rgbrenner
Oracle took the top 2, but Adobe had 5 runners up. Too bad Adobe couldn't
overtake Oracle, they clearly put in a lot of effort at it. And Microsoft..
not even being listed? Are they even trying anymore?

~~~
camus
but oracle products account for 53 of the malware attacks !

------
lifeguard
Let's take a look at CERT, shall we?

17 Sep 2012 VU#480095 Microsoft Internet Explorer 6/7/8/9 contain a use-after-
free vulnerability

17 Sep 2012 VU#389795 Windows Phone 7 does not check certificate Common Names
when sending or receive

Hmm. OK, how about #1 service being remotely attacked right now:

MS Terminal Services

~~~
rhplus
The OP is a list of vulerabilities by severity. When I look at the current US-
CERT database, I don't see any Microsoft products in the top 10 results by
severity[1] or by date[2].

[1] By "Common Vulnerability Scoring System":
<http://www.kb.cert.org/vuls/byCVSS>

[2] By Date: <http://www.kb.cert.org/vuls/bypublished>

~~~
lifeguard
Whatever. " Not one Microsoft product on Kaspersky’s top 10" implies that
Microsoft products are secure. They are not.

~~~
scholia
The notion propagated by fanboys is that Microsoft software is the least
secure on the planet, and if you believe that then you might well expect
Microsoft to occupy many if not most of the top 10 places. The point of the
headline is that it doesn't. It's based on challenging a known assumption, not
establishing the opposite assumption.

~~~
lifeguard
Every time Microsoft releases a new product the Astroturfing goes through the
roof and the dishonest message is insulting to experienced system engineers.

~~~
scholia
Maybe. I find serious system engineers tend to ignore the childish fanboy
squabbling. They have jobs to do.

------
cdibona
This reminds me of the bear joke: They only had to outrun oracle and adobe...

~~~
tptacek
The implication here is that Microsoft didn't actually improve their security
so much as Oracle and Adobe failed to keep up with theirs. I don't know
whether you intended to say that, but either way, it's a false statement.

~~~
JoeAltmaier
...or a criticism of Oracle and Adobe, which is then 100% true statement.

------
Lagged2Death
I figured there would be a lot of Adobe stuff on the top 10, but that is _a
lot_ of Adobe stuff.

------
ecounysis
Glancing at the list, I see there are only four companies in the world who
cannot claim they don't have a single product on Kapersky's top 10
vulnerabilities list.

~~~
encoderer
But the fact that the largest software company in the world is among them is
what's notable.

~~~
ecounysis
Yes. I wonder what percentage of vulnerabilities 11-20 belong to Microsoft?

------
pserwylo
Ah Shockwave, good to see you again my old friend.

I can't believe it's still around and kicking, given the last release of
Director seems to be about two years ago.

I don't play any online games, but can somebody vouch for whether it is still
used to develop browser games anymore?

~~~
TazeTSchnitzel
AFAIK its only advantage was 3D authoring support, and Flash has that too now,
so I see no reason to continue using it at all.

------
stcredzero
For security reasons, I've stopped using PDF readers based on Apple and Adobe
code. I'm now using XPDF through an Automator app as my default PDF program,
with Google Chrome as an alternate.

------
artichokeheart
Not one Microsoft product on top 10 vulnerabilities affecting Microsoft
operating system.

~~~
lostnet
That is a more significant finding!

Dropping out of the overall top ten may have little or nothing to do with
better security since the calculation is intentionally skewed to measure by
number of affected users.

MS bugs got raised to the top in a desktop dominant world, but they've lost
ground (and therefore importance in this calculation) against
mobile/tablet/etc devices making the most successful cross platform products
capable of affecting more users.

------
experiment0
Sorry for going off topic but, I hadn't seen the nextweb new design before. I
found it quite disorientating, there is so much orange "stuff". I just didn't
know where to look.

~~~
rndmize
I wasn't bothered by the colors so much as the layout. Almost every news
source I read has the article all the way to the left, with navigation at the
top and secondary content on the right. Having the navigation on the left and
the content on the right was disorienting (and I've felt the same with
Google's newer blog layouts). I can understand doing this on a tablet, but on
a desktop it feels... overly simplified.

~~~
Roboprog
Worse for me on my (1024 x 600) netbook: the actual content wasn't even
completely visible until I shrunk the font size several notches.

------
hmart
The fact hat Adobe still ships expensive, crappy, heavy, memory consuming,
battery drain and insecure products is not news. 5 of them in the Top 10.

------
VeejayRampay
Adobe have been embarrassing themselves for a solid decade now as far as
security is involved. Might be time for them to step up.

~~~
rbanffy
I'd be happy with installing their software on case-sensitive filesystems.

------
dschiptsov
Sure, the same way there is no danger to heath in fast-food, every advertiser
will tell you for sure.)

------
bprater
Is it getting safer to say that antivirus software may soon be a thing of the
past?

~~~
Corrado
My question is, would you run Windows 7/8 without any anti-virus software at
all? Do you feel that comfortable? After years of Linux/OS X I can safely say
that I won't use an OS that requires anti-virus ever again.

~~~
Negitivefrags
I have never run a windows system with anti virus. There is a very simple
technique. Don't install viruses.

~~~
Jarshwah
I've had a single virus on a windows machine, and I was about 90% sure that it
was going to be a virus and wanted to see what happened.

I don't run anti-virus software, but I think it's only the power users that
are capable of doing so. User education is still too low. Would you trust your
parents or grand-parents to "not install a virus" ?

------
Create
...they are so valuable, that they are traded on the black market.

<https://twitter.com/VUPEN/status/263283188175106048>

------
shocks
Now is as good a time as any to disable Flash and Java in my browser. Not sure
why I haven't done this earlier.

Props to Microsoft though. Nice! :)

------
ben0x539
All those _s functions must be paying off!

------
tuananh
This is because Adobe is doing a too good job putting its products on the list
: )

------
buster
And yet a friend of mine has to reinstall her shiny new netbook because
apparently there is some nasty rootkit/trojan that cannot be removed (so
easily).

------
taylorbuley
Declining marginal vulnerabilities

------
martinced
I'm a long time Java dev and lately it's been terrible, totally terrible, for
Java from a security point of view. A gigantic fiasco. Flash's track record is
very poor too. Saying that something is "less vulnerable" than these two
really doesn't mean much.

We're talking about hundreds of millions of zombie PCs due to Java applets +
Flash exploits. So being "less vulnerable" than these technologies doesn't
mean much.

So no Microsoft product in the top 10? You mean Word is not as big as an
attack vector as Java applets and Excel is not as big as an entry point as
Flash? Is there any surprise in here!?

That's not the interesting thing: what concerns most people is the browser
they use to surf the Web. Is Safari + Java applet plugin more vulnerable then
IE + Java applet? Is Chrome + Flash more vulnerable then IE + Flash?

That's what counts.

And also: how do you install Java on your system if you _really_ need it (e.g.
because you're a Java dev) and yet make sure it's not available from your
browser? Or from another user account? This kind of stuff is trivial to do on
Linux: it's been a long time since I'm using a throwaway user account that has
no Java installed to "surf the Web" (using Chrome but whatever). It's trivial
to do because on Linux you can install Java from a regular user account (no
need to be root).

On Windows this is not possible: installing Java requires the admin password
and opens a whole can of worms ; )

I can tell you: I'm surfing from Linux using Chrome which has Flash. I also
have Java installed in a separate (developer) user account. And I'm pretty
sure this is more secure than surfing from a Windows machine, no matter where
Microsoft stands in that report from their "friend in bed" Kaspersky...

Also, for a little touch of irony regaring the article, Kaspersky's revenues
are virtually entirely coming from sales of anti-virus protecting Windows
OSes. Why aren't they succesful on the Linux servers powering the Internet?

------
drivebyacct2
Beat by Oracle and Adobe. Something to _truly_ be proud of. Aw, no one else
finds this to be a strange brag? Should we make a list of all of the companies
that aren't up there?

~~~
xer0x
I agree, this is a really weird post.

~~~
drivebyacct2
Careful, that's a suicidal comment.

