Proprietary vendors, including study author IBM, take a beating in a new report that catalogs software vulnerabilities.
Apple, Microsoft, Sun Microsystems, and IBM each sprinted to finish in the top five for most reported security vulnerabilities in the IBM Internet Security Systems's X-Force 2008 Mid-Year Trend Statistics report (PDF).
Not to be outdone, Joomla, WordPress, Drupal, and Linux also fought bravely to make the top 10. This is an indication of their growing adoption. As Sam Dean notes: no one bothers to hack a lonely system that few use.
However, it may also have much to do with the language in which all but Linux are written. According to the report:
An obvious trend demonstrated by the appearance of these (open-source) vendors on the top 10 list is the increasing prevalence of Web-related vulnerabilities...Another commonality between these three vendors is that they are all written in PHP. If we look back over last year's disclosures and apply the new CPE methodology to them, we would uncover another newcomer to the top five list, PHP itself, which would rank number four in the 2007 top five vendor list.
Suddenly, fuddy-duddy Java starts looking pretty good--or would, if the proprietary vendors on the list weren't also using Java or .Net. Perhaps there's simply no language that can protect users from determined bad guys.
As for who is finding the vulnerabilities, this is particularly interesting, especially in light of the "given enough eyeballs, all bugs are shallow" theory of open source. According to the report:
Over the past 1 1/2 years, independent researchers have been responsible for approximately 70 percent of all vulnerability disclosures (critical, high, medium, and low) that were not anonymously disclosed. However, research organizations are responsible for finding nearly 80 percent of critical vulnerabilities (those with a CVSS base score of 10).
In other words, trained eyeballs are better than average eyeballs for finding critical security problems in software. Does this inure to open source's benefit or undermine the "eyeballs/bugs" theory? I'm not sure. I can see both sides on this one.
As suggested above, the report finds that attacks are shifting from the operating system to Web applications...but not necessarily Web browsers, which are becoming more secure. Instead, attackers increasingly rely on "automated toolkits, obfuscation, and the prevalence of unpatched browsers and plug-ins" to attack users' systems. Indeed, plug-ins represent 78 percent of public security exploits affecting browsers.
What to do? Well, there's always the possibility of not using any of the companies or projects on the top 10 list, but that would leave you with a pretty lame technology existence. A little dose of intelligence online would probably go furthest in protecting users from attacks.