This post continue my analysis of industry vulnerability disclosures started in part 4 last week and is part of an ongoing series of posts based upon Tim Rains and my recent special edition Microsoft Security Intelligence Report (SIR) called “The evolution of malware and the threat landscape – a ten year review,” which we presented in a breakout session earlier this month at RSA Conference 2012.
In the first three parts of this series (part 1, part 2, part 3), Tim Rains explored some of the ways that the threat landscape (with a focus on malware) has evolved over the past decade and in part 4, I reviewed the high level view of industry vulnerabilities and how things had evolved over the past 10 years. In this part, I will dig a bit deeper on the source of the disclosed vulnerabilities.
Vulnerabilities by Vendor
To look at disclosures by vendor, I took the top firms in terms of disclosed vulnerabilities for 2011 and then graphed their disclosures back over the 10 year period. A variety of vendors show up in this list – some with disclosures around only a few products, while others have disclosures from 50 or more products accumulating to their total. Note that some vulnerabilities did effect multiple vendors, but the counts represent the unique totals under active support by the respective vendor. Let’s briefly review the top vendors for 2011.
Enterprise Linux Distributions. Topping the numbers for most years over the past decade are Enterprise Linux distibutions. The charted numbers come from Red Hat Enterprise Linux, who are probably the best example of Enterprise Linux companies at providing updates and information to their customers. However, since most Enterprise Linux distributions share a majority of components, these numbers are representative, so I charted it more generally. Note that Oracle Unbreakable Linux would fall in this category, as would other Enterprise Linux vendors. Top contributing components include the Linux kernel and Firefox (which would show up as 10th and 11th on this list, considered by themselves).
Apple. In recent years, Apple has vied for the top position, coming in at 1st or 2nd four of the past five years. Apple products incorporate many of the same open source components as Linux distributions (and unlike the Linux distros, typically install them by default), so it is not a surprise to see correlation between the two. Some of the top contributors to vulnerabilities for Apple were the iPhone OS, Safari, iTunes and Webkit.
Oracle/Sun. Oracle and Sun would have separately made it on the list, but the combination placed Oracle in the top four consistently since 2006. Note that this count does not include vulnerabilities affecting their Linux distrbution, so a full Oracle count including Oracle Unbreakable Linux would move Oracle to the top of the list. Top contributors include Java, Oracle Database and Peoplesoft products.
Google. Google is a latecomer in terms of vulnerabilities, but has had the steepest growth curve for vulnerability disclosures over the past three years. Most Google vulnerabilities in 2011 affected the Chrome browser. Though not always attributed in the NVD, since the Chrome OS/Chromium is based upon the Chrome browser, that would be likely be affected by most of them as well.
Microsoft. Back in 2002, Microsoft had the most vulnerabilities by far, but in more recent years has moved down the list.
Adobe. As researchers have broadened in recent years to popular application software, Adobe has become an object of their focus. Top contributors for Adobe in 2011 include Shockwave, Acrobat and Flash.
Beyond Adobe, the next five vendors were:
- IBM. Top contributors for IBM include Tivoli, Websphere and Lotus products.
- Cisco. Top contributors for Cisco include Cisco IOS and Adaptive Security Appliance products.
- Hewlett-Packard. The top vulnerability contributor for HP in 2011 was Openview.
- Mozilla. The top vulnerability contributor for Mozilla was Firefox, but due to the shared code base, many vulnerabilities also affected Seamonkey and Thunderbird.
- Linux. The majority of Linux vulnerabilities affected Linux Kernel 2.6.
Operating System vs Application Vulnerabilities
The NVD does track both hardware and software vulnerabilities, though the number of hardware vulnerabilities disclosed each year remains low. The high point was 198 (3.4%) hardware vulnerabilities disclosed in 2009, so that isn’t really very interesting to chart.
Software vulnerabilities generally break down into vulnerabilities affecting operating systems (OS) or applications, or both. Like many other industries, one vendor’s product can be another vendor’s component. For example, CVE-2011-1089 affects GNU libc 2.3, listed as an application product from GNU. However, libc also ships as an integrated component in several operating systems and is therefore also an operating system vulnerability. For this reason, it is normally difficult to draw a hard line when discussing OS vs application vulnerabilities.
To explore this, I examined the affected products entries in the NVD to categorize a vulnerability as affecting an OS, an application or both and charted the three cases.
I do want to add a caveat here, that I used the NVD affected products field without a lot of scrubbing of the data, so I have some room for improvement in future analysis in this area. Let me use one example to illustrate. Chrome OS from Google is based upon the Chrome browser – in fact the browser is central to the entire OS concept. However, if you manually examine most of the Chrome browser vulnerabilities from the past year, you do not find Chrome OS list as an affected product in the NVD, though it probably is affected in reality. This particular example would only affect the last couple of years and would probably decrease the number of exclusive OS vulnerabilities (green) and correspondingly increase the “both” category (grey).
Operating System Vulnerability Disclosures
To examine vulnerabilities affecting operating systems, vulnerabilities were filtered for affected products designated as an operating system. The top vendors for operating system vulnerabilities all showed up in our earlier overview of top vendors overall: Enterprise Linux distributions, Apple, Microsoft, Linux Kernel and Oracle. [Note: I want to reiterate the caveat that I excluded Oracle Unbreakable Linux from the Oracle numbers charted here, so a true Oracle number would involve a union of the vulnerabilities charted for Enterprise Linux and Oracle.]
Application Vulnerability Disclosures
To examine vulnerabilities affecting operating systems, vulnerabilities were filtered for affected products designated as an application. The top vendors for application vulnerabilities, as charted below are: Google, Oracle, Apple, Adobe, and IBM.
Stay Tuned for More…
At a high level, this paints a good picture of the source of vulnerabilities by vendor have changed over the past ten years, with some vendors coming into more relevance in recent years.
Stay tuned for the next part in this series, where Tim Rains will look at how software servicing has changed over the past ten years.
Best regards, Jeff