07
Dec 10

Rap Sheets on Top Software Vendors

facebooktwittergoogle_plusredditpinterestlinkedinmail

A new online resource aims to make it easier to gauge the relative security risk of using different types of popular software, such as Web browsers and media players.

Last month, I railed against the perennial practice of merely counting vulnerabilities in a software product as a reliable measure of its security: Understanding the comparative danger of using different software titles, I argued, requires collecting much more information about each, such as how long known flaws existed without patches. Now, vulnerability management firm Secunia says its new software fact sheets try to address that information gap, going beyond mere vulnerability counts and addressing the dearth of standardized and scheduled reporting of important security parameters for top software titles.

Secunia "fact sheet" on Adobe Reader security flaws.

“In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment,” the company said.

In addition to listing the number of vulnerabilities reported and fixed by different software vendors, the fact sheets show the impact of a successful attack on the flaw; whether the security hole was patched or unpatched on the day it was disclosed; and information about the window of exploit opportunity between disclosure and the date a patch was issued.

The fact sheets allow some useful comparisons — such as between Chrome, Firefox, Internet Explorer and Opera. But I’m concerned they will mainly serve to fan the flame wars over which browser is more secure. The reality, as shown by the focus of exploit kits like Eleonore, Crimepack and SEO Sploit Pack, is that computer crooks don’t care which browser you’re using: They rely on users browsing the Web with outdated software, especially browser plugins like Java, Adobe Flash and Reader (all links lead to PDF files).

Tags: , , , , , , , , , ,

12 comments

  1. Can Foxit Reader be installed with Adobe Reader already installed on my computer?

    • Sure, but even if your default PDF reading app is set to Foxit the possibility exists for exploits to go through Adobe. Just as certain apps I run that open their reports in IE despite my default browser being Firefox, I believe there are ways to force a PDF to open in a specific tool as opposed to the user set default.

      Foxit’s nice, but I’ve really taken to Sumatra myself. Very small footprint and very, very snappy.

      • Russ, Thanks for the comment. Installed Sumatra today and happy so far (replaced Nuance — I gave up on Adobe long ago). Need to note that I don’t require a lot of resource-intensive functionality.

    • Anyone dealing w/ the Library of Congress Copyright process is forced to use Adobe. I download, install, use, and uninstall it on each occasion, using the Search tool to make sure that our dear fiends @ Adobe (now better than ever with Larry Ellison is in charge!) don’t leave any detritus in the machine.

  2. Regardless of what software one chooses to use, the primary key to security is a layered defense (defense in depth). That way, if something makes it past one layer; another is there to potentially stop it.

    There is something to be said though about reducing a systems attack surface by limiting the software installed on a system or choosing to use software that is not highly targeted. An example is I refuse to install Java, Adobe Reader (use Foxit instead), or QuickTime on my systems as they are heavily exploited.

    Bottom line though, security is a process that includes the end user, not a set it and forget thing. And NEVER should one think that just because you’ve chosen to use software that is less targeted that you’re automatically safe from exploit. Again, a layered defense!

  3. I am not sure this is new per se. This exact data has been being published in Symantec’s Internet Security Threat Report for years.

    al

    • Secunia says fact sheets are new so I”ll take their word for it.
      http://secunia.com/company/blog_news/news/157

      • I did not say the ‘sheets’ are not new. I said the data being presented to the public, this exact sort of data, is not new. It does not make it any less valuable, it’s just now new.

    • Al – Your probably right. Fair or not, however, I think more people trust the impartiality of Secunia over Symantec in analyzing this type of vulnerability data. I know I find it hard to read anything published by anti-malware vendors, such as Symantec, where I’m not questioning what the self-serving motivation was.

      • When held in that light Secunia has the same vested interests than Symantec. More so in fact, Secunia makes their living in this space (vulns and their related tech) and it’s nearly all their revenue base. Symantec makes their coin in AV (and storage etc. of course) and accounts for vuln related software on a very, very minimal basis. I personally trust both but if I wanted to be cynical I would pick the one make the least amount of the space. Either way, I think Secunia’s stuff is great, I am not weighting one against the other.

  4. Isn’t some of the update points mute when it comes to Chrome; Since Chrome updates continiously, includes a pseudo/maybe-real sandboxed PDF viewer and I think probably updates Java as well; And flash components which are particularly sandboxed. I think several of these points were brought up again at the recent Google Announcement about Chrome OS. (See http://www.twit.tv/specials for more info and coverage)

  5. I would be interested in knowing if the awareness of the exploits targeting older versions of Adobe really had an impact on Adobe’s bottom line. They NY Times reports, “Adobe Posts Its First Billion-Dollar Quarter”, http://www.nytimes.com/2010/12/21/technology/21adobe.html?ref=technology.

    Would the US be better off if we could devise a cyber economic incentive policy that pushed US companies to develop more secure software?