This is the result of nearly a decade of work from MSFT, across the board. They built better tools, drilled security into every new hire all the way to the execs, made it a part of every engineering and product process imaginable. Happy that is finally being acknowledged on the outside.
I still remember how painful it was to ship anything, waiting in queue for security team signoff. Good to see it payoff though. Good on Microsoft - making secure products and smarter engineers in the process.
"Happy that is finally being acknowledged on the outside."
Not to mention by a reputable security company in the business (we all know there's some sources whom are... biased... to put it nicely). Congrats to Microsoft, glad to see they've put security so highly on their priority list. Not to mention the involvement they try to get with hackers, and worldwide trying to stop spam botnets, etc... Very nice to see a corporation working like that.
Jan 15, 2002 email from Bill Gates to all MSFT staff [1]. Includes some real gems, like;
>So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.
I was hugely impressed by Bill when I read that memo, I checked with my friends who worked there to see if it was 'real' or a PR stunt, and they universally agreed it was very very real.
I suspect Google is about to be tested in this way given the adoption of Android on mobile devices. It is fortunate that they have a strong security culture to begin with but nothing proves that like being battle tested.
Google isn't the first company that would come to my mind. I'd rather go for Apple. Their mobile ecosystem might be a lot more secure than Android's, but the way they acknowledge OSX vulnerabilities and how soon they fix them is a weak spot.
Apple regularly loses security shootouts, and is widely derided by security people. Their only advantages are their niche status (which they are losing) and their lack of consideration towards old apps (they can dump old APIs which are hard to secure, and make other backwards-incompatible fixes, because they just don't care that much about backwards compatibility).
> Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services.
Good for him. This doesn't seem to be the attitude of many in the startup scene. It isn't the attitude of all too many app developers. It also doesn't seem to be the highest priority at Apple.
it was a response to the very real threat of Linux. MS was getting publicly beaten on an almost monthly basis by malware authors. It was a whack-a-mole contest to keep our boxes patched. I still scratch my head and wonder why our bosses have kept demanding Windows Windows Windows...
The "Summer of Worms", after Slammer, Blaster, and Welchia owned up some huge fraction of every Windows machine connected to the Internet, including large portions of the DoD. Microsoft's software security was repeatedly on the front page of CNN and the subject of Congressional hearings.
If you wanted to put Microsoft under a microscope from 2003-2010, during the time where they were actually putting in the work to transition from a 1990's software security practice to a 201x security practice, you'd find plenty of "smoking guns" to win arguments with on message boards.
TL;DR: you probably won't notice unless you are looking for bugs in their products, and trying to write exploits.
You will certainly not notice any improvement in their "creative" apps.
But these do not really form a part of most people's "internet attack surface". The priorities are Reader and Flash. Perhaps AIR.
Adobe Reader X is a lot more secure than Reader 9 was. The bugs are still there - many Reader 9 bugs affect X. However, exploitation is much harder, and I haven't seen anyone get reliable code execution in X yet.
They are supposed to be working hard on Flash too, although I haven't looked at that recently. I remain unconvinced that Flash is actually fixable, but perhaps they could win with strong enough sandboxing and exploit mitigation...
I usually get shouted down when I say this but Microsoft's focus on secure code over the last 10 years has paid off. Not only is the OS too hard a target hence the increase in Java, adobe product exploits, but their software running on their OS has fallen in line too.
I know the saying many eyes make bugs shallow, but so does billions of dollars and years of concentrated effort. Kudos to Microsoft for getting their act together.
No, the saying does not hold. Microsoft didn't buy "many eyes"; they bought a relatively small number of very specialized eyes. At any one time in the mid 2000's, something like 4-5 security firms did $1MM or more in a year at Microsoft, and those firms each had between 15-40 people working at them --- and no firm did 100% of its business at MSFT.
What happened at Microsoft may not disprove this folk wisdom about defect detection, but it's evidence against it, not for it.
That's not really how secure coding works at Microsoft though. There aren't more eyes on the code, just more developer training and more processes in place. (At least that was my experience working there from 2006 to 2009.)
We also have mandatory security training for all developers. Turning every developer into a security reviewer helps a lot.
It's nothing compared to the knowledge I got by working in app sec or teaching network security, but it's pretty good for increasing the base of knowledge among general developers.
And that is an interesting point; and it is specifically the point the G*P was making, which was obscured by saying, "Oh, but there are still multiple eyes here."
If I understand correctly, I think it's a function of how they rank their vulnerabilities. "The rankings are based on the percentage of users whose computers had the vulnerability in question"
Machines running Apple software on Windows >> machines running Apple software on Macs. So the same vulnerability wouldn't show up even if it existed in iTunes on OSX, for example.
Quicktime on Windows is stuck at version 7, which is riddled with numerous problems. It's this old Quicktime codebase that is the source of the Quicktime and iTunes vulnerabilities on Windows.
The current version on Mac and iOS is Quicktime X. This version was a complete rewrite (that started on iOS and eventually migrated to the Mac). The complete rewrite allowed for a vastly more secure design (among other improvements).
But the iTunes backend is still QuickTime 7 on both Mac OS X and Windows. QuickTime is really only present on Windows machines nowadays as the backend of iTunes.
I think it could be that the platform works differently enough that you can build vulnerable Windows software by just making some assumptions that would be correct in OSX land but not in Windows. Vice versa, most probably.
The runtime isn't written in a managed language, and that's where most of the vulnerabilities happen, right? The holes aren't in application code, but in _running arbitrary code_, which the JVM fails to do safely.
The surface area exposed is larger, because you're allowing the browser to download and run arbitrary programs, something you don't do with unmanaged languages very much.
Edit: Also, just consider how much worse it'd be if Java apps were re-written in a language that allows buffer overflows. Enterprises already cannot get security right; even generating SQL queries results in problems. No way would those teams deal with yet another layer of security issues. Hell, I've dealt with commercial teams writing in C++ thinking a buffer overflow has "something to do with network rate limiting."
> "The runtime isn't written in a managed language, and that's where most of the vulnerabilities happen, right?"
At least some of those Java vulnerabilities are logic errors in the sandboxing/securitymanager parts that are supposed to prevent applets from accessing privileged APIs, and those checks are usually implemented inside the actual java.* standard library classes, in the Java language.
The problem mostly isn't the runtime itself, but instead the various 3rd party modules (all of which are written in late-90's-era C/C++) that get hooked up to the JVM. For instance, the Quicktime API for Java exposed scalar integers, intended to be "opaque", but in fact raw memory locations.
The JVM is good. The Java Applet Plugin, on the other hand, is a problem.
Well, sure. But I think that's maybe missing my point -- a managed runtime needs "holes" in it to do its job, which exposes the security problems of the rest of the system via inevitably leaky abstractions. The point was that the managed runtime does nothing to address this, it has to drill down to a C API at some point (or deeper, consider a similar hole in a shader compiler or video codec accelerator).
And contrast with alternative affirmative/MAC-based sandboxing schemes like Chrome's NaCl, or OS-level stuff using SELinux/AppArmor. These don't require a managed runtime at all, and yet appear ("appear" being a critical point of courses) to solve this problem in a more robust way.
So, you're right of course, but I just want to point out that the JVM is very very widely used in another setting other than applets where it has a much better track record: serverside web applications.
I'm not sure we really know how to secure a desktop application / fat client platform yet.
It is inherently more secured in the same context. The JVM applet sandbox has to stand up to random code off the internet, whereas native code is almost only installed explicitly.
Remember ActiveX and how it was worse than Java applets?
It seems to me that the only reason we put up with JVM applets (whereas anyone suggesting we put up with people ActiveX would rightfully be laughed down these days) is because of that steady monotonous stream of crap about how much better Java is for security. It has dropped our collective paranoia far too low.
South Korea's situation is pretty unique/extreme in that way, though. At least I'm unaware of any other places that suffer a similar lock-in spiral. Except corporations, maybe.
Java is or was until very recently as anyone who has used it since 1995 will know and remember. Recent issue have arisen, hopefully Oracle is going to get its track record up to what Sun's was. Until then, a few bad recent reports for Java 7 will not wipe out decades of countless security reports for all of Windows Operating System and many relied upon Windows applications.
Java applets are still far more efficient and far more powerful and have far greater operability with Java web server software than even HTML5 will have.
Are you saying history in general is not pertinent to analysis? Is your rule only true for security issues or you do you feel that way about everything?
That's not true. All four major browsers can run CLR code through Silverlight [1] and depending on the statistics you use, the installation base for the plugin is in the same ballpark as Java, somewhere between 65% and 75% [2]. StatOwl even has Silverlight slightly ahead of Java at 69.7% vs 70.0% [3].
Of course, these are desktop stats. On mobile, it's a different story.
Set your browser to never auto-launch plugins, but require click to play.
If you're not already using ad-block, you will be amazed by how much it improves the performance of your general internet-surfing. So, besides security mindedness, there are already other good reasons for doing it.
Reading http://www.securelist.com/en/analysis/204792250/IT_Threat_Ev..., I find it surprising that the Netherlands manages to be the best malware exporter in the world (third in 'production', close behind Russia and the USA (both with a much larger population), but also in the top 10 for 'least consumption', a list that neither Russia nor the USA made).
Does anybody have any idea how that comes about? The only reason I can think of is that Amsterdam is a huge node in the Internet backbone (http://en.wikipedia.org/wiki/Amsterdam_Internet_Exchange). Malware authors might want to host their stuff close to such nodes, so that they can distribute their wares efficiently.
The Netherlands has a long history of being a hub of international trade, from spices and bulbs to diamonds and IP packets. Add to that its tolerant attitude towards pornography, prostitution and drugs - compared even to much of Western Europe - and it wouldn't be much of a surprise to see organized crime diversifying beyond things like porn hosting (which benefits from the IXP you mention) into malware and identity theft too.
If you're running Chrome please for the love of all that is holy enable Click-To-Play for all plugins. With it disabled it is like running without a pop-up blocker.
You can do so in Settings -> Advanced Settings -> Content Settings -> Plug-Ins -> Click To Play.
When you visit a site which has a plug-in you'll get a UI control similar to the pop-up blocker which allows you to add it to the exceptions list and or to allow it just this one time. You should add YouTube to the exceptions list.
HTML5 videos on YT start automatically, which is exactly what I don't want, and in fact the second-biggest reason I use click-to-flash (first being animated ads). At one point, I was being forcibly opted into HTML5 video on YT and had to disable that feature in Firefox to get back out of it.
Every time I join the YouTube HTML5 trial it gets silently turned off and videos start playing in Flash again a week or two later. Does that happen to anyone else?
Yes! I have turned that on many times and I always end up watching flash videos again. I wonder if it had to do with my session cookie expiring. Does anyone know how they toggle this experiment on/off for different users?
I'm in the beta, I've never had to rejoin. Possibly because I'm logged into my Google account, which is linked to my Youtube account. Note that some Youtube videos are still delivered as Flash, I believe is whenever adverts are shown.
I'd go one step farther and just disable plugins. I have run without plugins for years and it really is a non-issue 95% of the time. If I absolutely need a plugin I will enable it for the time I need it and then disable it again.
And to think that a free (as in it didn't cost me a cent unless I want to pay for it) piece of software protected me from most of this. The phenomenon known as NoScript is quite marvelous in doing its job without eating much of my CPU cycles :-)
Of course, when you get down to the bottom line you know it's not a huge technical feat, but really, neither is anti-virus software. It's a matter of foresight and hard work. Donate today :)
(Disclaimer, I am in no way connected with NoScript other than being a happy user)
Edit: After posting this I realize it comes across as a bit of advertising and not contributing much to the conversation, I was about to delete it, but I stopped myself and wanted to add: I am -truly- happy not having to (even though I do) worry about what links I can click.
Haha. Great to see iTunes and QuickTime (Windows versions, probably?) on the list... Apple should really either update them (I'm not sure iTunes 11 will be released for windows too), or just abandon them (and ask customers to use iCloud for backup). A few days ago I opened a .mov on a Windows machine with QuickTime - it was horrible. I can't imagine how dreadful iTunes probably is. No wonder all PC guys hate iTunes...
I hate iTunes on every platform. It's bloated; it tries to do too many things and it does them all wrong. Just as an example, searching for anything with iTunes is a horrible experience, particularly when compared with searching the 'net with any of the top search engines. Book, app and media management are terrible. Cross-computer management of the same is terrible. Backing-up your iPhone, if you are not careful, can result in erasing every single app from your phone and replacing them with what happens to be on the new machine's iTunes. Take a music database that Windows Media deals with without any issues whatsoever (devoid of metadata other than folders with the album name and files with the song names). Import it into iTunes and watch it get mangled. Albums get destroyed, songs end-up categorized in weird ways, etc.
Yeah, I feel you. I'm on OS X and hate iTunes with a passion (it's almost an obsession). I almost died of grief when I learned iTunes 11 was delayed...
The sheer number of bugs that crapware has is unbelievable. And don't get me started on Music.app on iPad (iOS 5 and 6), or the dreadful state of "Shared Media" in iPhone and iPad's Music apps (stream from a computer).
God I hate them. If I ever switch from iOS/Mac, iTunes/Music.app are to blame.
I hate iTunes too for all of the reasons mentioned above, however there's one thing it does at least half-ok'ish:
It doesn't eat a ton of CPU while playing a few simple MP3s...
I've tried using Clementine (an Amarok-fork, my favourite music-player by far, at least on Linux) but it's just a resource-hog - comparatively at least.
So yeah - does anyone have suggestions on what to use for music playback? Something that doesn't suck? Something that doesn't waste precious CPU-cycles without reason, generating heat and wasting battery on the go?
I've been using http://www.foobar2000.org/ for almost 10 years now. Though most of my music now is in the cloud, I always keep a heavily modded version of fb2k on my PC.
This is BY FAR the best audio player available.
I had some respect for Amarok when I was on KDE 6-7 years ago. Nowhere close to fb2k though. Nowadays on Linux I prefer just plain old mpd.
PC guy here. Have used Fedora for years as my daily OS and the only reason i have a Windows VM on my linux machine is actually because i love iTunes so much. I don't have an iDevice, either.
I've used a vast array of media players for Linux and Windows and nothing i can find matches the features iTunes has for organizing my music library.
However, it's difficult to understand why Apple doesn't update iTunes on Windows more frequently. I'm pretty sure the last iTunes update on Windows fixed well over twenty-five security vulnerabilities in open source libraries that were known for upwards of six months to everyone.
While that STILL doesn't match the negligence of companies like Oracle and Adobe, it's still negligence. Unacceptable negligence which is putting users at risk.
Oracle took the top 2, but Adobe had 5 runners up. Too bad Adobe couldn't overtake Oracle, they clearly put in a lot of effort at it. And Microsoft.. not even being listed? Are they even trying anymore?
The OP is a list of vulerabilities by severity. When I look at the current US-CERT database, I don't see any Microsoft products in the top 10 results by severity[1] or by date[2].
The notion propagated by fanboys is that Microsoft software is the least secure on the planet, and if you believe that then you might well expect Microsoft to occupy many if not most of the top 10 places. The point of the headline is that it doesn't. It's based on challenging a known assumption, not establishing the opposite assumption.
Every time Microsoft releases a new product the Astroturfing goes through the roof and the dishonest message is insulting to experienced system engineers.
The implication here is that Microsoft didn't actually improve their security so much as Oracle and Adobe failed to keep up with theirs. I don't know whether you intended to say that, but either way, it's a false statement.
Glancing at the list, I see there are only four companies in the world who cannot claim they don't have a single product on Kapersky's top 10 vulnerabilities list.
For security reasons, I've stopped using PDF readers based on Apple and Adobe code. I'm now using XPDF through an Automator app as my default PDF program, with Google Chrome as an alternate.
Dropping out of the overall top ten may have little or nothing to do with better security since the calculation is intentionally skewed to measure by number of affected users.
MS bugs got raised to the top in a desktop dominant world, but they've lost ground (and therefore importance in this calculation) against mobile/tablet/etc devices making the most successful cross platform products capable of affecting more users.
Sorry for going off topic but, I hadn't seen the nextweb new design before. I found it quite disorientating, there is so much orange "stuff". I just didn't know where to look.
I wasn't bothered by the colors so much as the layout. Almost every news source I read has the article all the way to the left, with navigation at the top and secondary content on the right. Having the navigation on the left and the content on the right was disorienting (and I've felt the same with Google's newer blog layouts). I can understand doing this on a tablet, but on a desktop it feels... overly simplified.
My question is, would you run Windows 7/8 without any anti-virus software at all? Do you feel that comfortable? After years of Linux/OS X I can safely say that I won't use an OS that requires anti-virus ever again.
I used to run Security Essentials. When I upgraded to 8, it automatically uninstalled it. It's baked into the OS now, along with a constantly updated blacklist of known malware programs if you try to manually install something bad. You can get around it easily, but they don't make it intuitive to do so for users who are not comfortable clicking around and exploring.
Above and beyond being comfortable not using an AV on Windows 8, I would go as far as to say that if you are using an AV on Windows 8, you're being taken for a ride by your vendor of choice. And I say this as an information security professional. I've tried to get a virus on Windows 8 without doing anything more than what it takes to get a virus on Windows 7. I did not succeed.
I've had a single virus on a windows machine, and I was about 90% sure that it was going to be a virus and wanted to see what happened.
I don't run anti-virus software, but I think it's only the power users that are capable of doing so. User education is still too low. Would you trust your parents or grand-parents to "not install a virus" ?
Considering the kinds of vulnerabilities we've seen, this may prove difficult. I remember one where browsing to a folder with a specially crafted image provoked a buffer overflow that got exploited.
Man I really hate to break it to you but Linux (and almost certainly OS X) has many privilege-escalation bugs at any given time. Any executable you run on any operating system could potentially be a virus; the main thing protecting you on Linux is that the combinations of buggy kernels and buggy libraries are much wider than on Windows, which generally stays pretty up-to-date and thus consistent across many machines.
Don't pretend Unix-type OSes are immune to malware. Don't forget the Morris worm.
selling antivirus software is a lot less about fixing viruses than it is about convincing the average computer user that they are at risk without XXX antivirus suite.
And yet a friend of mine has to reinstall her shiny new netbook because apparently there is some nasty rootkit/trojan that cannot be removed (so easily).
I'm a long time Java dev and lately it's been terrible, totally terrible, for Java from a security point of view. A gigantic fiasco. Flash's track record is very poor too. Saying that something is "less vulnerable" than these two really doesn't mean much.
We're talking about hundreds of millions of zombie PCs due to Java applets + Flash exploits. So being "less vulnerable" than these technologies doesn't mean much.
So no Microsoft product in the top 10? You mean Word is not as big as an attack vector as Java applets and Excel is not as big as an entry point as Flash? Is there any surprise in here!?
That's not the interesting thing: what concerns most people is the browser they use to surf the Web. Is Safari + Java applet plugin more vulnerable then IE + Java applet? Is Chrome + Flash more vulnerable then IE + Flash?
That's what counts.
And also: how do you install Java on your system if you really need it (e.g. because you're a Java dev) and yet make sure it's not available from your browser? Or from another user account? This kind of stuff is trivial to do on Linux: it's been a long time since I'm using a throwaway user account that has no Java installed to "surf the Web" (using Chrome but whatever). It's trivial to do because on Linux you can install Java from a regular user account (no need to be root).
On Windows this is not possible: installing Java requires the admin password and opens a whole can of worms ; )
I can tell you: I'm surfing from Linux using Chrome which has Flash. I also have Java installed in a separate (developer) user account. And I'm pretty sure this is more secure than surfing from a Windows machine, no matter where Microsoft stands in that report from their "friend in bed" Kaspersky...
Also, for a little touch of irony regaring the article, Kaspersky's revenues are virtually entirely coming from sales of anti-virus protecting Windows OSes. Why aren't they succesful on the Linux servers powering the Internet?
Beat by Oracle and Adobe. Something to truly be proud of. Aw, no one else finds this to be a strange brag? Should we make a list of all of the companies that aren't up there?
