Not to mention by a reputable security company in the business (we all know there's some sources whom are... biased... to put it nicely). Congrats to Microsoft, glad to see they've put security so highly on their priority list. Not to mention the involvement they try to get with hackers, and worldwide trying to stop spam botnets, etc... Very nice to see a corporation working like that.
>So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.
I suspect Google is about to be tested in this way given the adoption of Android on mobile devices. It is fortunate that they have a strong security culture to begin with but nothing proves that like being battle tested.
Oracle with Java could also get a lot of heat.
Spot on. 2002.
They left Photo CS 5.5 users twisting in the wind, recommending customers pay to upgrade their one-year-old software to CS 6.
I don't know if it was the external pressure or a slow in-house process, but it took them a month to release a fix for CS 5.5 users: http://www.adobe.com/support/security/bulletins/apsb12-11.ht...
Why do I find that hard to believe. Oh right, because I've launched and used Adobe software in my life.
You will certainly not notice any improvement in their "creative" apps.
But these do not really form a part of most people's "internet attack surface". The priorities are Reader and Flash. Perhaps AIR.
Adobe Reader X is a lot more secure than Reader 9 was. The bugs are still there - many Reader 9 bugs affect X. However, exploitation is much harder, and I haven't seen anyone get reliable code execution in X yet.
They are supposed to be working hard on Flash too, although I haven't looked at that recently. I remain unconvinced that Flash is actually fixable, but perhaps they could win with strong enough sandboxing and exploit mitigation...
I know the saying many eyes make bugs shallow, but so does billions of dollars and years of concentrated effort. Kudos to Microsoft for getting their act together.
The saying holds. Billions of dollars buys many eyes.
What happened at Microsoft may not disprove this folk wisdom about defect detection, but it's evidence against it, not for it.
It's nothing compared to the knowledge I got by working in app sec or teaching network security, but it's pretty good for increasing the base of knowledge among general developers.
I wonder if these are lower priority for Apple or if they perhaps just aren't as good when developing for Windows.
Machines running Apple software on Windows >> machines running Apple software on Macs. So the same vulnerability wouldn't show up even if it existed in iTunes on OSX, for example.
The current version on Mac and iOS is Quicktime X. This version was a complete rewrite (that started on iOS and eventually migrated to the Mac). The complete rewrite allowed for a vastly more secure design (among other improvements).
> 56 percent of exploits blocked in Q3 use Java vulnerabilities.
So much for the idea of a managed language runtime being inherently more secure...
The surface area exposed is larger, because you're allowing the browser to download and run arbitrary programs, something you don't do with unmanaged languages very much.
Edit: Also, just consider how much worse it'd be if Java apps were re-written in a language that allows buffer overflows. Enterprises already cannot get security right; even generating SQL queries results in problems. No way would those teams deal with yet another layer of security issues. Hell, I've dealt with commercial teams writing in C++ thinking a buffer overflow has "something to do with network rate limiting."
At least some of those Java vulnerabilities are logic errors in the sandboxing/securitymanager parts that are supposed to prevent applets from accessing privileged APIs, and those checks are usually implemented inside the actual java.* standard library classes, in the Java language.
The JVM is good. The Java Applet Plugin, on the other hand, is a problem.
And contrast with alternative affirmative/MAC-based sandboxing schemes like Chrome's NaCl, or OS-level stuff using SELinux/AppArmor. These don't require a managed runtime at all, and yet appear ("appear" being a critical point of courses) to solve this problem in a more robust way.
I'm not sure we really know how to secure a desktop application / fat client platform yet.
Remember ActiveX and how it was worse than Java applets?
Java applets are still far more efficient and far more powerful and have far greater operability with Java web server software than even HTML5 will have.
Of course, these are desktop stats. On mobile, it's a different story.
I've got Win7/64, service packs up to date, java autoinstaller thing....what else can I do?
If you're not already using ad-block, you will be amazed by how much it improves the performance of your general internet-surfing. So, besides security mindedness, there are already other good reasons for doing it.
Does anybody have any idea how that comes about? The only reason I can think of is that Amsterdam is a huge node in the Internet backbone (http://en.wikipedia.org/wiki/Amsterdam_Internet_Exchange). Malware authors might want to host their stuff close to such nodes, so that they can distribute their wares efficiently.
(I have no data to back this up...)
You can do so in Settings -> Advanced Settings -> Content Settings -> Plug-Ins -> Click To Play.
When you visit a site which has a plug-in you'll get a UI control similar to the pop-up blocker which allows you to add it to the exceptions list and or to allow it just this one time. You should add YouTube to the exceptions list.
One less site that needs Flash.
Of course, when you get down to the bottom line you know it's not a huge technical feat, but really, neither is anti-virus software. It's a matter of foresight and hard work. Donate today :)
(Disclaimer, I am in no way connected with NoScript other than being a happy user)
Edit: After posting this I realize it comes across as a bit of advertising and not contributing much to the conversation, I was about to delete it, but I stopped myself and wanted to add: I am -truly- happy not having to (even though I do) worry about what links I can click.
The sheer number of bugs that crapware has is unbelievable. And don't get me started on Music.app on iPad (iOS 5 and 6), or the dreadful state of "Shared Media" in iPhone and iPad's Music apps (stream from a computer).
God I hate them. If I ever switch from iOS/Mac, iTunes/Music.app are to blame.
It doesn't eat a ton of CPU while playing a few simple MP3s...
I've tried using Clementine (an Amarok-fork, my favourite music-player by far, at least on Linux) but it's just a resource-hog - comparatively at least.
So yeah - does anyone have suggestions on what to use for music playback? Something that doesn't suck? Something that doesn't waste precious CPU-cycles without reason, generating heat and wasting battery on the go?
This is BY FAR the best audio player available.
I had some respect for Amarok when I was on KDE 6-7 years ago. Nowhere close to fb2k though. Nowadays on Linux I prefer just plain old mpd.
That's the problem i found with foobar. I always enjoyed WinAmp and still miss it to this day on mac. Itunes is no comparison.
I've used a vast array of media players for Linux and Windows and nothing i can find matches the features iTunes has for organizing my music library.
However, it's difficult to understand why Apple doesn't update iTunes on Windows more frequently. I'm pretty sure the last iTunes update on Windows fixed well over twenty-five security vulnerabilities in open source libraries that were known for upwards of six months to everyone.
While that STILL doesn't match the negligence of companies like Oracle and Adobe, it's still negligence. Unacceptable negligence which is putting users at risk.
17 Sep 2012 VU#480095 Microsoft Internet Explorer 6/7/8/9 contain a use-after-free vulnerability
17 Sep 2012 VU#389795 Windows Phone 7 does not check certificate Common Names when sending or receive
Hmm. OK, how about #1 service being remotely attacked right now:
MS Terminal Services
 By "Common Vulnerability Scoring System": http://www.kb.cert.org/vuls/byCVSS
 By Date: http://www.kb.cert.org/vuls/bypublished
I can't believe it's still around and kicking, given the last release of Director seems to be about two years ago.
I don't play any online games, but can somebody vouch for whether it is still used to develop browser games anymore?
Dropping out of the overall top ten may have little or nothing to do with better security since the calculation is intentionally skewed to measure by number of affected users.
MS bugs got raised to the top in a desktop dominant world, but they've lost ground (and therefore importance in this calculation) against mobile/tablet/etc devices making the most successful cross platform products capable of affecting more users.
Above and beyond being comfortable not using an AV on Windows 8, I would go as far as to say that if you are using an AV on Windows 8, you're being taken for a ride by your vendor of choice. And I say this as an information security professional. I've tried to get a virus on Windows 8 without doing anything more than what it takes to get a virus on Windows 7. I did not succeed.
I don't run anti-virus software, but I think it's only the power users that are capable of doing so. User education is still too low. Would you trust your parents or grand-parents to "not install a virus" ?
Don't pretend Unix-type OSes are immune to malware. Don't forget the Morris worm.
Props to Microsoft though. Nice! :)
We're talking about hundreds of millions of zombie PCs due to Java applets + Flash exploits. So being "less vulnerable" than these technologies doesn't mean much.
So no Microsoft product in the top 10? You mean Word is not as big as an attack vector as Java applets and Excel is not as big as an entry point as Flash? Is there any surprise in here!?
That's not the interesting thing: what concerns most people is the browser they use to surf the Web. Is Safari + Java applet plugin more vulnerable then IE + Java applet? Is Chrome + Flash more vulnerable then IE + Flash?
That's what counts.
And also: how do you install Java on your system if you really need it (e.g. because you're a Java dev) and yet make sure it's not available from your browser? Or from another user account? This kind of stuff is trivial to do on Linux: it's been a long time since I'm using a throwaway user account that has no Java installed to "surf the Web" (using Chrome but whatever). It's trivial to do because on Linux you can install Java from a regular user account (no need to be root).
On Windows this is not possible: installing Java requires the admin password and opens a whole can of worms ; )
I can tell you: I'm surfing from Linux using Chrome which has Flash. I also have Java installed in a separate (developer) user account. And I'm pretty sure this is more secure than surfing from a Windows machine, no matter where Microsoft stands in that report from their "friend in bed" Kaspersky...
Also, for a little touch of irony regaring the article, Kaspersky's revenues are virtually entirely coming from sales of anti-virus protecting Windows OSes. Why aren't they succesful on the Linux servers powering the Internet?