Study analyses ten years of security holes
Source: S21Sec Spanish security firm S21sec has released a review of the security holes of the past ten years in its first annual vulnerability report. The well-respected company creates security analyses for organisations such as the European Network and Information Security Agency (ENISA).
Since 2001, S21sec has collected all major software companies' known security holes in a database, including those of Adobe, Apple, Google, Microsoft and Oracle. The "Vulnera Database" is fed from 36 sources, among them well-known contributors such as CVE, Bugtraq and Secunia. It currently lists more than 22,000 products and over 74,000 security holes in total.
According to S21sec's statistics, the number of security holes found last year decreased significantly over that of 2010 – despite the fact that Apple in particular reported more holes than in previous years. S21sec's ten-year review states that the highest number of holes was reported in 2006 – more than 10,000.
Almost 7,000 important holes were reported in 2011 alone, with the most reported in March. Surprisingly, the Chrome web browser was responsible for the highest number of security holes. In the web browser category, more than half of the security holes were found in Google's browser (54%), followed by Firefox (18%) and Opera (10%). Safari and Internet Explorer both scored below the 10% mark. However, the statistics don't take into account how long these holes remained open.
In the client operating system category, the largest number of holes was reported for Windows 7, XP and Vista – not really a surprise. Some distance behind was Mac OS X with 60 security holes. The Ubuntu, Fedora and SUSE Linux distributions reported fewer than 10 holes. It was a similar picture in server operating systems, with Windows 2003 Server leading the pack with more than 100 vulnerabilities, followed by Mac OS X Server with over 60 holes and FreeBSD, OpenBSD, HP-UX, IBM AIX and Solaris all having fewer than ten holes reported.
Results in the smartphone operating system area were somewhat unexpected: iOS with 35 holes was far ahead of Android, for which fewer than 10 holes were reported – unfortunately, S21sec didn't provide an exact figure. Adobe's Acrobat and Reader products shared first place among the major applications and plugins, followed by Oracle's 10g and 11g databases and Apple QuickTime.
According to S21sec, the overall trend is towards a rise in remote exploits and highly sophisticated trojans. For 2012, the security firm anticipates a growing number of threats, particularly in the area of mobile devices. The 468 million smartphones in use are an attractive target for malware authors, said S21sec.