Kaspersky Labs, a digital security firm, releases a quarterly “IT Threat Evolution” report. For the Q3 2012 report, one section provides information as to what programs have the most widely spread vulnerabilities. I’m sure you can guess some but may be surprised by others.
The following are the top ten most popular vulnerabilities, starting with the most wide-spread vulnerability first:
- Oracle Java Multiple Vulnerabilities: DoS-attack (Gain access to a system and execute arbitrary code with local user privileges) and Cross-Site Scripting (Gain access to sensitive data). Highly Critical. (35%)
- Oracle Java Three Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical. (21.7%)
- Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Gain access to sensitive data. Highly Critical. (19%)
- Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Highly Critical. (18.8%)
- Adobe Reader/Acrobat Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Extremely Critical. (14.7%)
- Apple QuickTime Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (13.8%)
- Apple iTunes Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (11.7%)
- Winamp AVI / IT File Processing Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (10.9%)
- Adobe Shockwave Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Highly Critical. (10.8%)
- Adobe Flash Player Multiple Vulnerabilities: Gain access to a system and execute arbitrary code with local user privileges. Bypass security systems. Gain access to sensitive data. Extremely Critical. (9.7%)
It isn’t entirely clear if the above list is Windows-only or includes cross-platform vulnerabilities, but if you click-through to the specific vulnerability details on Kaspersky’s page, you will notice some at least some vulnerabilities are cross-platform (like the iTunes one).
Although being in the above list may indicate poor or unsafe software, the list isn’t explicitly saying these are the programs that have the most vulnerabilities. Rather, the list is showing the most popular specific vulnerabilities (which is why you see Flash mentioned three times — those are three different Flash vulnerabilities); the above data is based on how many users had the specific vulnerability — the percentage shown above for each vulnerability is how many users had the vulnerability detected on their computer. According to Kaspersky, 30,749,066 products were tested on the computers of people running Kaspersky security products.
Notice something missing from the list? Yeah, you guess it — Microsoft products. This is actually a first; Microsoft products are typically featured in this top 10 list. According to Kaspersky, the reason why there are no Microsoft products in this most recent list is because of Windows Update:
Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.
Hard to believe, right?