Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Red Hat and Firefox more buggy than Microsoft

Windows not that bad after all.

Article comments

Secunia has found that the number of security bugs in the open source Red Hat Linux operating system and Firefox browsers far outstripped comparable products from Microsoft last year.

In a report released this week, Secunia also criticised CA for the quality of the code in its anti-virus products, saying that "inherent" code problems are exposing CA products to ongoing security vulnerabilities.

On the other hand, "zero-day" security bugs in Firefox were patched more quickly than in Microsoft Internet Explorer, according to the Secunia 2007 Report, released this week.

In a review of the number of vulnerabilities found in enterprise anti-virus vendors' products, Secunia found that CA was by far the leader, with 187 vulnerabilities, followed by Symantec with 73. Trend Micro (34), ClamAV (15), McAfee (13) and F-Secure (6) ranked lower on the list.

The high figures for Symantec and CA are partly due to their wide range of products, some of which cover areas other than anti-virus, Secunia said.

However, the majority of the CA bugs were due to "inherent code problems with some CA products", Secunia said in the report.

Of particular concern is CA's range of ARCServe Backup products for laptops and desktops, which Secunia submitted to its Binary Analysis process after several bugs were reported and fixed. The bugs involved errors in processing particular arguments and requests.

The analysis found that about 60 reported bugs were still present in the supposedly patched versions.

What's more, the analysis found that the vulnerabilities were partly due to "the nature of the product code itself", Secunia said.

"Unless an overhaul of the code is undertaken, then the product remains susceptible to similar types of vulnerabilities," Secunia said.

However CA said in a statement that it has rigorous quality-control measures in place for its software and continues to improve those measures.

A number of the vulnerabilities found in Symantec products were due to their use of vulnerable software from third-party developers, Secunia said.

One of these is the Autonomy Keyview SDK (software development kit), used in Symantec Mail to view Lotus 1-2-3 files. The component was reported to have a "highly critical" flaw on 12 December, but hasn't yet been patched, leaving some Symantec products vulnerable.

Symantec said in a statement that it has published instructions for mitigating the problem and has issued product updates for some affected vendors. IBM, whose Lotus Notes was also affected by the Autonomy bug, has issued its own patch.

Operating systems and browsers
Out of the operating systems monitored by Secunia - Windows (98 and onwards), Mac OS X, HP-UX 10.x and 11.x, Solaris 8, 9, and 10 and Red Hat (excluding Fedora) - Red Hat was found to have by far the most vulnerabilities, at 633, with 99 percent found in third-party components. (Linux distributions are generally composed mostly of third-party software, which is integrated by the distributor.)

Red Hat has taken issue with the figures, claiming the accurate number should be 404 vulnerabilities for last year.

Solaris came next, with 252 bugs, 80 percent of which were in third-party components. Mac OS X came after that with 235, 62 percent of which were third-party.

Windows had only 123 bugs reported, but 96 percent of those were found in the operating system itself. HP-UX had 75 bugs reported, 81 percent of which were in third-party code.

Last week, a US Department of Homeland Security (DHS) bug-fixing scheme uncovered an average of one security glitch per 1,000 lines of code in 180 widely used open source software projects.

The large number of Red Hat flaws is partly due to the large number and wide variety of components it includes.

"Red Hat contains two different browsers and graphic interfaces, a number of PDF readers and image editors, and so on," the report said. "Red Hat, HP-UX, and Solaris can easily be used as servers, and as such include and support a large number of third party components, while the same cannot be said of all versions of Windows and Mac OS X."

Any consideration of relative OS security should look at factors not covered by the report, such as average patching time for vulnerabilities, Secunia said.

In the browser field, Firefox led the way with 64 bugs, compared to 43 for Internet Explorer, and 14 each for Opera and Safari.

However, in an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches, sooner, compared to IE.

Out of eight zero-day bugs reported for Firefox in 2007, five have been patched, three of those in just over a week. Out of 10 zero-day IE bugs, only three were patched and the shortest patch time was 85 days.

ActiveX was hit by the largest number of browser add-on bugs in 2007, with 339 (compared to 45 last year), Secunia said.

The figure was propped up by the Month of ActiveX Controls Bugs in May 2007, and by Secunia's discovery of a vulnerable ActiveX component that was used in 40 different products.

Quicktime followed with 35 bugs and Java with 21 bugs.


More from Techworld

More relevant IT news


Ron said: So how much did Microsoft pay you

James said: In the browser field Firefox led the way with 64 bugs compared to 43 for Internet Explorer and 14 each for Opera and SafariHowever in an examination of zero-day flaws - reported by third parties before a patch was available - Secunia found that Firefox tended to get more patches sooner compared to IEOut of eight zero-day bugs reported for Firefox in 2007 five have been patched three of those in just over a week Out of 10 zero-day IE bugs only three were patched and the shortest patch time was 85 daysSecunia tends to list only some of the Opera vulnerabilities and usually only after they were fixed so the 14 is not a realistic claimSo Firefox is more buggy or vulnerable simply because Mozilla is much more open about this than the others and being open sourceblogmozillacomsecurity2008

Techworld Editor said: We dont normally comment on readers comments but I would like to pick up on what Roy says about our report not being balancedWe do point out that Red Hat flaws are fixed quicker and also point out that the number of Red Hat flaws are due in part to the number of components that it supports in effect what ZD Net says

Roy Schestowitz said: Proper balance in this article seems to be missing Heres what ZDNet said Secunia said that while Red Hat had more reported vulnerabilities than Windows it was not possible to compare its relative security with Microsoft products or comment on the relative security of open-source versus proprietary products based on vulnerability figuresIts impossible to make a fair comparison its like comparing apples to oranges Thomas Kristensen Secunias chief technology officer told ZDNetcouk Red Hat has the highest number of applications included so the number of vulnerabilities that affect it is bound to be higher

Matt Cahill said: Im glad they attempted to qualify the findings by mentioning that RH comes with immensely more 3rd-party applications than any Microsoft OS - while this does proportionately increase the likelihood of bugs overall its important to understand that by sheer bug-count alone one cannot perform an apple-to-apple comparison between the two for this reason

Bradley Holt said: Most likely the number of bugs found in open source software is greater because the source can be examined The key here is the number of bugs found Who knows how many bugs actually exist since its harder for security experts to find the bugs in closed source software The article can be misleading

Andy Macdonald said: CA were well known in the 80s amp 90s for acquiring software companies and then allegedly continuing to squeeze money out of the products while cutting back on RampD etc I dont know if they have changed

Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *