Secunia has found that the
number of security bugs in the open source Red
Hat Linux operating system and Firefox
browsers far outstripped comparable products from Microsoft last year.

In a report released this week, Secunia also criticized CA
for the quality of the code in its anti-virus products, saying that "inherent"
code problems are exposing CA products to ongoing security vulnerabilities.

On the other hand, "zero-day" security bugs in Firefox were patched
more quickly than in Microsoft
Internet Explorer, according to the Secunia 2007 Report, released this week.

In a review of the number of vulnerabilities found in enterprise anti-virus
vendors' products, Secunia found that CA was by far the leader, with 187 vulnerabilities,
followed by Symantec
with 73. Trend Micro
(34), ClamAV (15), McAfee
(13) and F-Secure (6)
ranked lower on the list.

The high figures for Symantec and CA are partly due to their wide range of
products, some of which cover areas other than anti-virus, Secunia said.

However, the majority of the CA bugs were due to "inherent code problems
with some CA products", Secunia said in the report.

Of particular concern is CA's range of ARCServe Backup products for laptops
and desktops, which Secunia submitted to its Binary Analysis process after several
bugs were reported and fixed. The bugs involved errors in processing particular
arguments and requests.

The analysis found that about 60 reported bugs were still present in the supposedly
patched versions.

What's more, the analysis found that the vulnerabilities were partly due to
"the nature of the product code itself", Secunia said.

"Unless an overhaul of the code is undertaken, then the product remains
susceptible to similar types of vulnerabilities," Secunia said.

However CA said in a statement that it has rigorous quality-control measures
in place for its software and continues to improve those measures.

A number of the vulnerabilities found in Symantec products were due to their
use of vulnerable software from third-party developers, Secunia said.

One of these is the Autonomy Keyview SDK (software development kit), used in
Symantec Mail to view Lotus 1-2-3 files. The component was reported to have
a "highly critical" flaw on 12 December, but hasn't yet been patched,
leaving some Symantec products vulnerable.

Symantec said in a statement that it has published instructions for mitigating
the problem and has issued product updates for some affected vendors. IBM, whose
Lotus Notes was also affected by the Autonomy bug, has issued its own patch.

Operating systems and browsers

Out of the operating systems monitored by Secunia - Windows (98 and onwards),
Mac OS X, HP-UX 10.x and 11.x, Solaris 8, 9, and 10 and Red Hat (excluding Fedora)
- Red Hat was found to have by far the most vulnerabilities, at 633, with 99
percent found in third-party components. (Linux distributions are generally
composed mostly of third-party software, which is integrated by the distributor.)

Red Hat has taken issue with the figures, claiming the accurate number should
be 404 vulnerabilities for last year.

Solaris came next, with 252 bugs, 80 percent of which were in third-party components.
Mac OS X came after that with 235, 62 percent of which were third-party.

Windows had only 123 bugs reported, but 96 percent of those were found in the
operating system itself. HP-UX had 75 bugs reported, 81 percent of which were
in third-party code.

Last week, a US Department
of Homeland Security (DHS) bug-fixing scheme uncovered an average of one
security glitch per 1,000 lines of code in 180 widely used open source software
projects.

The large number of Red Hat flaws is partly due to the large number and wide
variety of components it includes.

"Red Hat contains two different browsers and graphic interfaces, a number
of PDF readers and image editors, and so on," the report said. "Red
Hat, HP-UX, and Solaris can easily be used as servers, and as such include and
support a large number of third party components, while the same cannot be said
of all versions of Windows and Mac OS X."

Any consideration of relative OS security should look at factors not covered
by the report, such as average patching time for vulnerabilities, Secunia said.

In the browser field, Firefox led the way with 64 bugs, compared to 43 for
Internet Explorer, and 14 each for Opera
and Safari.

However, in an examination of zero-day flaws - reported by third parties before
a patch was available - Secunia found that Firefox tended to get more patches,
sooner, compared to IE.

Out of eight zero-day bugs reported for Firefox in 2007, five have been patched,
three of those in just over a week. Out of 10 zero-day IE bugs, only three were
patched and the shortest patch time was 85 days.

ActiveX was hit by the largest number of browser add-on bugs in 2007, with
339 (compared to 45 last year), Secunia said.

The figure was propped up by the Month of ActiveX Controls Bugs in May 2007,
and by Secunia's discovery of a vulnerable ActiveX component that was used in
40 different products.

QuickTime followed with 35 bugs and Java with 21 bugs.

» posted by abennett

Techworld.com

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine