Network News

X My Profile
View More Activity

US-CERT: 5,198 Software Flaws in 2005

Security researchers uncovered a record 5,198 vulnerabilities in software products this year, nearly 38 percent more than the number of flaws found in 2004, according to statistics published by US-CERT, a cyber security information-sharing collaboration between the Department of Homeland Security and the CERT Coordination Center at Carnegie Mellon University in Pittsburgh.

According to US-CERT, researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems. There may well have been more than 5,198 flaws discovered this year; these were only the ones reported to US-CERT.

I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue.

I'd love to know just what percentage of those reported Windows flaws have been fixed. For that matter, it would be lovely to know that for all of the flaws reported last year.

Take a second to scroll down the incredibly long list of software flaws. It may well be that this is a factor of there being more software out there, hence more lines of code and a greater number of vulnerabilities.

But that answer seems a bit too simplistic: my take on this is that as Microsoft takes steps to make their OS more secure (and yes, Service Pack 2 for XP does make it a lot harder for malware to exploit vulnerabilities on the system -- this latest WMF exploit notwithstanding), so attackers are looking at developing more exploits for applications that run on top of Windows and interact directly with the user (and are freely allowed in and out of software firewall applications).

The other thing at work here is that security has become a big business with big profits to those who can show they are able to protect users from previously unknown security holes. The competition among companies that sell protection products in this space is quite fierce, and researchers from each of those entities spend quite a lot of time digging up vulnerabilities in widely used software products, with a particular interest in security applications, it seems.

I'm sure there are other factors at work here as well. Your thoughts?

Have a very happy and prosperous New Year, Security Fix readers, and thank you for helping to build such a great community.

By Brian Krebs  |  December 30, 2005; 10:36 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Sony BMG to Settle Class-Action Lawsuit
Next: New Exploit for Unpatched Windows Flaw

Comments

Protecting against the unknown is going to only get you so far...one never really knows what the unknown is, by definition.

IMHO, one big aspect that's been overlooked in the face of these security issues is incident response. One doesn't have to go far (just as far as the SF lists...) to find people posting almost daily about surprising "new" issues they've encountered. A great many of those issues end up being relatively old, and in almost every case, there simply isn't enough information provided to assist in remotely diagnosing the issue. This points to a lack of education and simple trouble-shooting skills of those administering Windows systems. This sort of thing isn't included in the MCSE stuff, but is provided elsewhere.

In the face of all of these vulnerabilities, and with the actual crimes publicized by the popular media, one would think that CIOs and IT shops across the planet would be scrambling to get on top of things and improve their skill sets.

Factors at work? Well, aside from vulnerabilities in popular (and ubiquitous) software, there's a simple lack of education, training, staffing, and funding for IT shops. Being able to properly design, manage and monitor an infrastructure is important, but so is being able to recognize and diagnose an incident, and then properly respond to it.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Posted by: H. Carvey | December 30, 2005 10:53 AM | Report abuse

Pray tell me this, what other company(other then microsoft) in the USA or World consistently sells faulty products full of defects and works them out at the consumers time and expense? I don't know of any others that do this and continue to succeed. Usually a companies success depends on good product and good service, can anyone say Monopoly?

Posted by: T. Woosan | December 30, 2005 1:18 PM | Report abuse

Any reason why the link in the article jumps to the Unix/Linux bugs and skips over the Windows flaws?

Posted by: S. Bacon | December 30, 2005 1:37 PM | Report abuse

"Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers."

No Duh! Why in the world would the "Security Researchers" post the instructions to exploit the flaw??? That is the most stupid thing I have ever heard.

Posted by: Jon Cornwall, La Canada, CA | December 30, 2005 2:01 PM | Report abuse

To T.Woosan:
The answer to your question "what other company(other then microsoft) in the USA or World consistently sells faulty products full of defects and works them out at the consumers time and expense?"... The anwser is Ford Motor Co.

Posted by: C.Warren | December 30, 2005 2:21 PM | Report abuse

I have to agree with Mr. Cornwall, not a very responsible way to handle a problem like this. Shouldn't Microsoft have created the fix before telling the whole world how to screw the rest of us?

Posted by: Tom Matthews | December 30, 2005 2:30 PM | Report abuse

I don't think this applies to you personally but the article on the new Windows bug (WMF) and the accompanying article (how to avoid viruses) don't seem to address any steps a user could take for this case. In particular, the latter presents Windows fixes as the first step and this bug has no fix, and gives the reader other informaiton which may not have any effect on this vulnerability.

I'm under the impression that the simple step of un-registering WMF will make Windows safe to run again but this doesn't seem to be mentioned in the Post. Providing a series of steps which will not work for this issue would seem to provide users a false sense of security and be more damaging than printing no steps to take.

Posted by: Duncan | December 30, 2005 2:39 PM | Report abuse

"Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers."

Not only does Microsoft sell "faulty products full of defects and works them out at the consumers time and expense" as noted above, but they tell everybody how to exploit the defect to their own advantage.

Thanks very much. Couldn't the "security researchers" just come up with a fix and keep their mouths shut until they did so?

Posted by: C. Siegel | December 30, 2005 2:58 PM | Report abuse

It's funny, I never begrudged Microsoft its hardball competitive posture, although obviously its competitors and the DoJ did. What Microsoft really ought to be in the dock for is this nonsense: bugs, glitches, security vulnerabilities, etc etc.

Lord knows what W Edwards Deming might have said about Microsoft - but then I don't think Gates or Ballmer would have the courage to hire the man.

Posted by: Namfos | December 30, 2005 3:21 PM | Report abuse

I've been using the preview pane to see if I can trust the sender (maybe someone who hasn't e-mailed me before) instead of opening the e-mail. Is there any way I can continue to use the preview pane without leaving myself open to viruses?

Posted by: scotti | December 30, 2005 3:58 PM | Report abuse

In response to some earlier comments blaming Microsoft for revealing this vulnerability and the way to exploit, I think it is almost 100% certain that Microsoft did not reveal this bug. The "security researchers" who revealed this bug and how to exploit it are surely not from Microsoft.

I do agree with the sentiment that revealing this before a fix was available was irresponsible. However, there are those who believe that revealing these problems as soon as they are found forces Microsoft to issue fixes immediately. The problem is that some problems are not amenable to an instant fix, as seems to be the case here. There are others who simply want to harm Microsoft irrespective of the harm caused to millions of users. Shame on them!

Posted by: Duncan | December 30, 2005 4:03 PM | Report abuse

To Duncan:

Thanks for reading, and for sharing your thoughts. However, save for switching off the computer or to another operating system, what advice would you give windows users on how to avoid getting with this and how to clean it up after the fact? The piece was not meant to say "do this and you're safe." Should we have not put any advice? Also, the story you were referring to was written for the paper, not the Web site per se, and as such there are space considerations.

Posted by: Bk | December 30, 2005 4:18 PM | Report abuse

To S-Bacon: That's really odd. Not sure why. I think I've fixed the link now though. Tx for pointing that out.

Posted by: Bk | December 30, 2005 4:19 PM | Report abuse

45 Microsoft Internet Explorer software vulnerabilities versus 1 Mozilla Firefox vulnerability. Wow!

Posted by: kmf164 | December 30, 2005 4:27 PM | Report abuse

It is really too bad that CERT imposes a statistical scorecard on malfunctions so close to biological mechanisms that they were first named "bugs" or "virus" etc.

What every user understands is that it takes only one bug in their machine to cause pain. As difficult as it is, we have to remember the difference between a "pandemic", an "epidemic" and a "case".

Posted by: GTexas | December 30, 2005 4:46 PM | Report abuse

GTex...I think it's important not to shoot the messenger. I for one am glad someone is keeping track of this stuff.

Posted by: Vern | December 30, 2005 4:51 PM | Report abuse

Point well taken, Vern.

I don't advocate the head-in-sand approach either. I just wanted to point out that the language of epidemiology can highlight culpability, responsibility and severity too. These are not new ideas which arose in the digital age.

Posted by: GTexas | December 30, 2005 5:11 PM | Report abuse

Interestingly enough, according to netcraft.com the US-CERT web site runs on Linux.

Posted by: James Randall | December 30, 2005 7:36 PM | Report abuse

Rather than publishing a new bug count, it would be best for all technology manufacturers to freely report all defects. The report must include defects discovered (and fixed) during product engineering and manufacture, legacy issues, and those that remain open when the product ships. This information can enable consumers to learn more about the product other than the propaganda vendors claim about their convenience or capability. Tired of "churn and burn?" Periodic publication of legacy bug lists will enable a professional risk assessment to be conducted fairly for all technology products, including operating systems, medical device instruments, washing machines, engine controllers, etc. Its about time to turn loose "Consumer's Reports" to publish a risk assessment for all technology products along with the price and other ratings. Think the Congress could swing this type of full disclosure? Call it "The Bug Disclosure Act."

Posted by: colonelklink | December 30, 2005 8:09 PM | Report abuse

I clicked on the link to this website because the article in the Washington Post said: "Visit washingtonpost.com/ securityfix for step-by-step instructions on how to reduce the threat by disabling certain Windows features." All I see is a rehash of the original security issue along with a listing of flaws, Nothing here about any measures to combat this problem.

Posted by: Joy | December 30, 2005 8:33 PM | Report abuse

The .wmf problem with Windows et al can be fixed by renaming the offending shimgvw.dll to x_shimgvw.dll.

You can locate the fill using your file manager.

Go to Google search and type:
Windows .wmf there is a lot more info out there.

Posted by: Jim | December 30, 2005 9:27 PM | Report abuse

Joy -- I think this post has the tip you are looking for, which was cut from the paper version for space considerations:

http://blogs.washingtonpost.com/securityfix/2005/12/exploit_release.html

Here it is again:

1. Click on the Start button on the taskbar.
2. Click on Run...
3. Type "regsvr32 /u shimgvw.dll" to disable.
4. Click ok when the change dialog appears.

Posted by: Bk | December 30, 2005 9:29 PM | Report abuse

To the person asking about possible ways to preview e-mail to see if it is good there are a few things to be pointed out. Outlook has had bugs in the past that allowed viruses/worms to infect just by previewing the e-mail. ActiveX and JavaScript sometimes run in preview mode and will take of your entire box if you are using Windows (you're logged in as an administrator, aren't you? $10 says you are). Previewing is just like opening except in a smaller window. That should never be used to see how safe an e-mail is, or even if it should be opened.

Use another e-mail client. All of them (Thunderbird included) have previews but on Microsoft's supports foolish technologies like ActiveX 24/7. For a better solution make your user non-administrator (Power User is plenty and, unless you are crazy and install software every day from the Internet (reckless) a regular User is plenty).

If you really want to be safe Linux desktop OS's are ready for the masses. I'm actually trying all of my regular apps on the "other" OS and I fear for Microsoft's future. I don't want to leave Windows but the omens are clear. In the meantime, for people who are still under the impression that Linux is completely mysterious and filled with command line interfaces, make your user account a User account. Administrators should be used to install software and run patches. Nothing else.

Posted by: Windows Lover | December 30, 2005 10:49 PM | Report abuse

"...According to US-CERT, researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems..."

This statement is completely misleading. Looking at the list of flaws, one can easily see that most of these flaws have nothing to do with the operating system, but instead, are flaws in third party applications that run on the operating system. Yet US-CERT is calling all of them operating system flaws. This is moronic and judging by the numbers, designed to make Windows appear more secure than Linux to the average computer user, which is totally incorrect. Shame on US-CERT!

Posted by: A. Reader | December 31, 2005 1:32 AM | Report abuse

"...According to US-CERT, researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems..."

This statement is completely misleading. Looking at the list of flaws, one can easily see that most of these flaws have nothing to do with the operating system, but instead, are flaws in third party applications that run on the operating system. Yet US-CERT is calling all of them operating system flaws. This is moronic and judging by the numbers, designed to make Windows appear more secure than Linux to the average computer user, which is totally incorrect. Shame on US-CERT!

Posted by: A. Reader | December 31, 2005 1:34 AM | Report abuse

Here is a clear and simple step-by-step guide to making Windows XP invulnerable to security issues without spending a cent:

http://quikbox.ca/xp_security/Intro.html

Posted by: Tony | December 31, 2005 2:02 AM | Report abuse

The problem is not so much that you cannot protect yourself against all this stuff using Windows, probably most pros can, if they put in the same sort of effort their sysadmins do at work, ie about an hour or two a week. The problem is, how sure do you feel you have succeeded? And next time you bank or shop, how much do you want to bet on nothing having slipped by you?

I thought about this long and hard a year or two ago. I was putting in all the firewalls and anti virus stuff and locking everything down, and I wondered how sure I could or should be. My answer was in the end, to take the family to Linux. It was not pain free, but we got there. Its not that I can't do it most of the time, its just I don't want to have to place big bets on doing it right every time, week in week out.

Since then, its only gotten worse.

Posted by: Al | December 31, 2005 9:10 AM | Report abuse

Hello Brian:

As somebody that spent the duration of 3.5 years of my security career (and 3.5 years of my entire life, for that matter) analyzing security vulnerabilities, I want to share with you a few comments concerning your article, and this entire heap of rubbish US-CERT has published.

1. I've been away from analysis for nearly a year-and-a-half, but there are several things that I still recall, try as I have to forget (you can "leave" any field of analysis, but you can never really cease until you go mad ... see Georg Cantor and Kurt Godel). One thing I recall is that on at least one occasion, thorough analysis by the top-notch group I worked with revealed that indeed, Microsoft does tend to fix "security issues" covertly in some patches. But before the zealous OS bigots start chanting and burning effigies, I should also point out that in several instances, we discovered that EVERY vendor does it. The question that the behavior raised is whether it was benign behavior on the part of programmers fixing what was perceived as a "programming issue" versus a "security issue," or whether it was more nefarious in nature, such as the vendor covering up the problem because of PR implications. This behavior was as prevalent with commercial vendors as it was with open source, and an answer will always be the fodder of opinion-filled debate. If one desires living life to the fullest, there are better debates to waste time on.

2. The great American novelist Samuel Clements said it best in his quote about statistics. Here we see that US-CERT can produce a convincing pack of damn lies as well any marketing company. The result of their "analysis" is so skewed that the information produced does nothing to move forward technology security as a whole, though there is an argument that it sets us back. The presentation delivers figures that make it impossible for consumers of the information to make informed decisions. For the sake of example, note that XSS and SQL injection bugs in DCP-Portal appear only under the UNIX/Linux category (they're obviously platform-independent), and the Softe ECW-Cart XSS vulnerability is listed as affecting only Windows. I'll not put further resources into doing the job they obviously couldn't be bothered to do, though I'll mention that it took me less than five minutes to note these contradictions. Also note-worthy is the appearance of CVE CAN-2004-1125 (GNU XPDF Buffer Overflow in doImage), the key part of which is the 2004. I'll leave this point with the following reductio ad absurdum: how is it possible that a vulnerability that was given a CVE ID in 2004 might appear in the 2005 list? Is it that Steve Christey and company have a monopoly on seeing into the future of software vulnerabilities?

3. Finally, the figures lead me to one overall question: how is it that, through a tax-payer-funded, vendor-neutral government partnership with the BEST computer science school in the United States bar the Massachusetts Institute of Technology, the best results that the partnership can produce is a thinly-veiled UNIX versus Microsoft argument? Off the top of my head, I can think of at least five parent categories of vulnerabilities into which these issues could be separated and presented. I can think of several usable criteria to present this data, such as the source of the issue (OS, App, Web App, etc). Early on in my previous position, we recognized the folly of attempting to categorize vulnerabilities based on operating system, if for no other reason than the ambiguity of how the OS is affected by default versus elective software (that which comes with the OS, versus that which you install). In spite of all that, the best we get from a US Government partnership with one of the best computer science schools in the country is the UNIX versus Microsoft argument?

Thank you for taking time to hear me out.

Sincerely,
Hal Flynn

Posted by: Hal Flynn | December 31, 2005 10:16 AM | Report abuse

I agree with many of the comments here:

1. We need a clearer taxonomy. Not everything is a 'flaw in the OS'.

2. Many things seem to be mis-categorized.

3. There are an appalling number of vulnerabilities across-the-board, but MS Windows does have more than its fair share. And the Windows vulnerabilities tend to result in -substantially- greater impacts than those on other systems.

But let's consider the biolgical aspects of 'virus'. There has to be a vulnerability, a vector and a result/consequence/symptom. Vulnerabilities exist where they exist, this is not based on market share. Vectors, on the other hand, are clearly influenced by market share. The more copies of MS Windows with a vulnerability, the more likely MS Windows is to have that vulnerability used.

The third part is consequence. Both the common cold and AIDS are viruses, but with radically different results/consequences. One of the real problems with Windows, when compared to other OSs, is that the consequences of infection are so much worse. That's the real flaw in Windows: If you get your computer infected, the result on a Windows machine is likely to be catastrophic.

Consider the latest bug which can apparently cause code to execute in a web browser if that browser exposes a certain image. The question for each OS is: What damage can that virus do? On well-designed systems with notions of 'least privilege', the worst that virus could do is mess with the current process and its privileges. If every user process has access to privileged resources (as seems to be the case on Windows), then the ability to do things like mess with the Windows Registry is clearly bad design on the part of the OS.

I think there are two parts to a long-term fix:
1. Better internet (IP level) security, so that addresses are reliable/traceable.
2. Financial consequences for crappy products.

When companies like Microsoft can get their pants sued off for negligence due to bad design, then they'll get serious. Think about the auto industry, and the infamous Ford Explorer rollover suits. Now apply that kind of accountability to the computer industry. Does anyone think that Ford could get away with a "shrinkwrap license" that says "By turning on this vehicle, you agree that you hold Ford free from any liability for any accidents, etc that you might have when operating this vehicle under any circumstances."???

Note that engineering liability laws are pretty well established for things like civil engineering/buildings. I don't understand why this can't be applied to 'software engineering', and I've made that argument in several professional association fora, where it's been quite controversial (with strong opinions both for and against the proposition.)

dave

Posted by: David Emery | December 31, 2005 12:40 PM | Report abuse

It's obvious CERT just couldn't handle the taxonomy of a list that size. But as a Macintosh sysadmin I noticed early on the Apple's "Security Updates" were often a bundle fixing known problems, and fixing some that had not been made public. Sort of Patch Tuesday, except Apple did them whenever they felt like.

One randomish example from the list, SB05-229 includes "Apple Security Update 2005-007", a catch-all for 19 CAN advisories, 6 of which have 2004 tags. The punchline, CERT says: "Currently we are not aware of any exploits for these vulnerabilities."

CERT has always been way down on my list of security sites for timely and accurate information.

Posted by: PeterK | December 31, 2005 4:46 PM | Report abuse

ok ... so you've taken the time to tell us what you don't know. We appreciate that. Good job Brian Krebs! Nice to see your taking the effort to ask the questions ... i hope you plan to write a follow-up article that actually answers a question you've asked. Do you ever research this stuff or just browse the internet and say "i think i'll copy and paste this today ... that should get me paid". God man! don't waste our time.

Posted by: someone who takes the time to question... | December 31, 2005 6:01 PM | Report abuse

WTF. The author spends no time even talking about Linux/Mac, and all the comments are about how the data is misleading since there are less flaws listed under Windows. Then people try to vindicate Linux/MacOS by saying most of the flaws listed are 3rd party software. First of all, if 3rd party software makes your OS hackable, your OS has a problem Second, there's no way to prove that Linux or MacOS is more secure than Windows, so quit making that assumption. I've seen Linux, Solaris, and Windows boxes hacked. I've yet to see a secure OS.

Posted by: Sanity | December 31, 2005 6:16 PM | Report abuse

A question for Windows Lover:

I'm running as Administrator (when I run Windows). So are my parents when they run Windows (always).

I wouldn't dare do that on Linux.

Why do I run as Administrator? Because it seems like I *need* to run as Administrator. Install Norton Antivirus as Administrator. Reboot to Normal user. Watch Norton fail to start. Shift to Administrator. Repeat as necessary for other software.

I've tried running as a Normal user. I can either be a restricted user without AntiVirus, or an Administrator with AntiVirus. I've chosen with AntiVirus.

Anybody have a solution for this situation?

Posted by: JustAGuy | January 1, 2006 3:15 AM | Report abuse

Cert forgot the biggest security threat out there. SUE - stupid user error. Uneducated users and foolish users wreck more equipment than anything. Oh yeah, you guys and gals that contunually argue about what is better, Windows or Unix/Linux. Get over it.

Posted by: D Babcock | January 1, 2006 7:54 AM | Report abuse

how much were you bought by microsoft? the fact you don't have a g.... clue about linux or other unix systems, as just the number of flaws doesn't mean anything...

it can be what they are, where they are found, how bad are they.

reoface

Posted by: Supertux | January 1, 2006 9:09 AM | Report abuse

Back when I performed test engineering on the UNIX OS for a large vendor, the kernel folks (legends in their own minds) referred to "stupid user error" (SUE) as UIAI: user is an idiot. Same symptom, different sobriquet.

Posted by: colonelklink | January 1, 2006 10:11 PM | Report abuse

Interesting line. Having switched to Mac a year ago, I have the following comments about this story. 1) Apple supports their product far better than Microsoft. 2) I would not trust my banking information to Windows. The neighborhood kids play thier online game on our mac beacuse they have lost their 'person' to some sort of spyware on their Win XP machines. Not a big deal, until it is your bank information. 3) The idea that the bad guys leave Apple alone because it is only 4% of the market, is very flawed. Hacker's have pride, who would not like to be the first hack mac? While only 4%, the demograhics of that 4% makes a real nice target for any bad guy. 4) Both the WaPost and the source stand to benifit from the spin on the story. 5) Kerbs can now apply for his dream job at FOX.

Posted by: M.Car | January 1, 2006 11:20 PM | Report abuse

To T. Woosan,

What monopoly? What's stopping you from using other products, such as Opera, OpenOffice, GIMP, etc? Or even Linux instead of Windows?

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Posted by: H. Carvey | January 2, 2006 7:28 AM | Report abuse

Both operating systems are "insecure" and can be hacked easily. Intel based hardware/OS combination will never be as secure as a propriatary hardware/OS combo.

The real question is what is the likelyhood of being hacked running a given OS? Statisically you're more likely to be hacked and suffer information damage running Windows. With Linux, you're more likely to be "rooted" and unknowingly turned into a Windows attack staging area.

So Linux is as insecure as Windows. But Linux is developed by hobbiests for free, while Windows is developed by the richest company in the world. A company that could have fixed the problems years ago (with all of your support $$$), and had a rock solid enterprise class level operating system that dominated the market. Instead it has to compete with a garage hacked amatuer OS thats faster, cheaper and better.

Obviosly corporate bonus structure has no room for user security.

Posted by: Ken Harbin | January 10, 2006 10:57 AM | Report abuse

Those who exploit the vulnerabilities of others will maximize their efforts. This measn focusing on
- apllications
- OS(s) with the greatest exposure. No one cares whether it is Windows or Linux, the MO is clear - to affect as many as possible.

Posted by: Biagio | January 11, 2006 9:30 AM | Report abuse

Your site is realy very interesting.

Posted by: Dublin Flats | March 21, 2006 5:30 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company