Java, Flash, and iTunes are in the “top 10 vulnerabilities” list — Microsoft products are nowhere to be found

Kaspersky Labs, a digital security firm, releases a quarterly “IT Threat Evolution” report. For the Q3 2012 report, one section provides information as to what programs have the most widely spread vulnerabilities. I’m sure you can guess some but may be surprised by others.

The following are the top ten most popular vulnerabilities, starting with the most wide-spread vulnerability first:

  1. Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical. (35%)
  2. Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical. (21.7%)
  3. Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical. (19%)
  4. Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical. (18.8%)
  5. Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical. (14.7%)
  6. Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (13.8%)
  7. Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (11.7%)
  8. Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (10.9%)
  9. Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (10.8%)
  10. Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical. (9.7%)

It isn’t entirely clear if the above list is Windows-only or includes cross-platform vulnerabilities, but if you click-through to the specific vulnerability details on Kaspersky’s page, you will notice some at least some vulnerabilities are cross-platform (like the iTunes one).

Although being in the above list may indicate poor or unsafe software, the list isn’t explicitly saying these are the programs that have the most vulnerabilities. Rather, the list is showing the most popular specific vulnerabilities (which is why you see Flash mentioned three times — those are three different Flash vulnerabilities); the above data is based on how many users had the specific vulnerability — the percentage shown above for each vulnerability is how many users had the vulnerability detected on their computer. According to Kaspersky, 30,749,066 products were tested on the computers of people running Kaspersky security products.

Notice something missing from the list? Yeah, you guess it — Microsoft products. This is actually a first; Microsoft products are typically featured in this top 10 list. According to Kaspersky, the reason why there are no Microsoft products in this most recent list is because of Windows Update:

Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.

Hard to believe, right?

[via TNW, Kaspersky]

Share this post

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

12 comments

  1. Ashraf
    Author/Mr. Boss

    @Link: I wonder what affect Windows Store will have on malware on PCs. I mean I doubt it will go away but with Microsoft trying to control the distribution of programs, will that result in less infections?
    @clockmendergb: Glad you like it. Discussion among members is always a value-added feature of any website.
    @Peter: L.M.A.O. I nominate this as the best comment of the year.

  2. Peter

    Are there rumors Apple will sue Oracle and Adobe for distributing software that allows to “gain access to a system and execute arbitrary code with local user privileges.” (GATASAXAC(TM) LUP-version) around?

  3. Link

    @jayesstee:

    Microsoft actually is getting that good, with UAC, Forefront endpoint protection, Security Essentials / Windows Defender.. it is taking away the market previous AV vendors had.. most corporations are moving away from 3rd party AV since Microsoft offers its own free highly effective solutions now days. If a Windows machine is kept fully up to date the only risk it runs of being infected is from 3rd party apps like Java and Flash.. Java only has a patch cycle of a few times a year :P Microsoft addresses vulnerabilities instantly reducing the impact. However end users still intentionally allow exploits on their machine by running dodgy 3rd party apps like keygens game cracks, pirated software etc that will bypass MS security. I have been an Enterprise admin for many years, the trend we have seen is that Android and Jailbreak free apps are now the big target, while properly controlled iTunes apps and Windows Store apps are less likely to be malicious. Microsoft is doing an excellent job… which is expected since it holds the majority of the market

  4. Ashraf
    Author/Mr. Boss

    @jayesstee: Indeed. One more thing I’d like to add.
    I disagree that Apple has no benefit in fixing up iTunes or Quicktime for Windows. You see while the products may be running on Windows, which isn’t an Apple OS, the products are still distinctly Apple products. So if a consumer finds out their computer is vulnerable due to Apple products, it hurts Apple’s reputation. So, yeah, if they are smart (which they are), they do care.

  5. Ashraf
    Author/Mr. Boss

    @jayesstee: I apologize, I misunderstood what you were saying.
    In regards to Adobe and Oracle: I’m sure they already got the memo but either they can’t do anything or don’t care. In regards to Apple: I believe some of vulnerabilities were present in Mac OS X, too, so it isn’t just Windows. Remember that scumbags target popular software. As much as Apple would like to claim otherwise, Mac has been fairly secure up until now because of its lack of popularity. iTunes, however, is a ripe target because of how popular it is thanks to iOS.

  6. jayesstee

    @Ashraf: I agree with your first two paragraphs. Your last line be correct, but that it was not what I was suggesting, I was merely suggesting that, in the extreme, the publisher could benefit from this particular study.
    Conspiracy theory? Not guilty, my Lud. Conspiracy requires two or more parties (to conspire).
    Cynicism? I plead guilty, due to so many years experience!
    Being serious, I hope that these results wake Adobe and Oracle up to how vulnerable their products are. Apple of course has no benefit to gain from from Windows being more secure. There I go again, being cynical!

  7. Ashraf
    Author/Mr. Boss

    @jayesstee: Firstly, this study isn’t praising Microsoft as making secure soft. It is an impartial study showing which vulnerabilities are the most wide-spread, and this is the first time a Microsoft product hasn’t appeared there. It really is as simple as that.
    Secondly, if they did what you suggest, then the study would be a whole different study to begin with. In stead of pointing out the most popular vulnerabilities, the study would show the soft with the most popular vulnerabilities. What would the results shown then? Would a Microsoft product be on there then? Who knows, but I assure you it would be different than the above. (I’d actually love to see this type of study done.)
    Not everything is a conspiracy theory, come on guys.

  8. jayesstee

    Group all the Java vulnerabilities together, do the same for Apple and Adobe, where would the Microsoft group come in the list?

    “Lies, damn lies and statistics”. It’s how the statistics are used, not the actual maths. It used to be the Politicians who bent/adapted the data, now big businesses are in on the act.

    Note if Microsoft were that good, then Kaspersky and all the other AV firms wouldn’t have a market.