Slashdot Mirror
Domain: secunia.com
Stories and comments across the archive that link to secunia.com.
Comments · 2,642
-
Re:Firefox
Yeah, I know very little about this stuff so I just spent some time trying to figure out whats going on. http://secunia.com/ie_redir_test_1 does a 302 redirect to mhtml:http://secunia.com/ie_redir_test_2. http://secunia.com/ie_redir_test_2 does a 302 redirect to http://news.google.com/. I guess the point is to get the content of news.google.com in a page with the location still being in secunia.com. That way the script would have access to anything you have a current session to... webmail for example.
-
Re:Firefox
Yeah, I know very little about this stuff so I just spent some time trying to figure out whats going on. http://secunia.com/ie_redir_test_1 does a 302 redirect to mhtml:http://secunia.com/ie_redir_test_2. http://secunia.com/ie_redir_test_2 does a 302 redirect to http://news.google.com/. I guess the point is to get the content of news.google.com in a page with the location still being in secunia.com. That way the script would have access to anything you have a current session to... webmail for example.
-
Re:Firefox
Yeah, I know very little about this stuff so I just spent some time trying to figure out whats going on. http://secunia.com/ie_redir_test_1 does a 302 redirect to mhtml:http://secunia.com/ie_redir_test_2. http://secunia.com/ie_redir_test_2 does a 302 redirect to http://news.google.com/. I guess the point is to get the content of news.google.com in a page with the location still being in secunia.com. That way the script would have access to anything you have a current session to... webmail for example.
-
And Opera...
And Opera shows up on the advisory page with more serious threat, yet nobody is gloating over that. The fact is, any application is going to have holes. These are truths:
- The number of eyes looking for a flaw is directly proportional to the popularity of the product being studied.
- The number of flaws reported follows the first.
- The more a product grows in popularity, the more eyes look at it for flaws, the more will be found.
- If Linux/Firefox/Any other up-and-comer gains in popularity, their discovered flaws will begin to approach, and eventually overtake those of Windows/IE/Office/etc.
- Get off your high-horse and worry about the day you become popular.
-
Re:Firefox
Actually if you check better what is going on at the HTTP level you find the bug. Just look at it using wget
Request: http://secunia.com/ie_redir_test_1
Answer: 302 with Location: mhtml:http://secunia.com/ie_redir_test_2
where MHTML is a special mime for storing a full web page in a HTML file. Then
the browser peforms the redirection
Request: http://secunia.com/ie_redir_test_2
Answer: 302 with Location: http://news.google.com/
finally a good browser should stop the forwarding because of the different domain, but
instead IE gets confused and grabs the external resource. -
Re:Firefox
Actually if you check better what is going on at the HTTP level you find the bug. Just look at it using wget
Request: http://secunia.com/ie_redir_test_1
Answer: 302 with Location: mhtml:http://secunia.com/ie_redir_test_2
where MHTML is a special mime for storing a full web page in a HTML file. Then
the browser peforms the redirection
Request: http://secunia.com/ie_redir_test_2
Answer: 302 with Location: http://news.google.com/
finally a good browser should stop the forwarding because of the different domain, but
instead IE gets confused and grabs the external resource. -
Re:DisingenuousI'm not sure if you're serious or not, but this bug was announced months ago in IE 6:
The vulnerability has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2. Other versions may also be affected.
http://secunia.com/advisories/19738/ -
Re:IE7 maybe not vulnerable?
Secunia has confirmed the vulnerability on a fully patched system with Internet Explorer 7.0 and Microsoft Windows XP SP2. Other versions may also be affected.
http://secunia.com/advisories/22477/ -
Opera doesn't want to feel left out
This vulnerability is not very significant. What I found more amusing was that on the same secunia page there's a list of the most popular advisories and Opera appears just under IE. The Opera vulnerability involves a mistake that any student learns to avoid in his or her first programming class. Furthermore, the Opera buffer overflow is rated as "highly critical" and affects both Windows and Linux versions, whereas MSIE 7's is only "less critical." The Opera bug is truly an amateur's mistake.
-
Come on
It's a "Less critical" vulnerability - not really dangerous at all. Firefox still has equally important unpatched "vulnerabilities" - some of which date back to 2004. Retards.
-
Come on
It's a "Less critical" vulnerability - not really dangerous at all. Firefox still has equally important unpatched "vulnerabilities" - some of which date back to 2004. Retards.
-
Come on
It's a "Less critical" vulnerability - not really dangerous at all. Firefox still has equally important unpatched "vulnerabilities" - some of which date back to 2004. Retards.
-
Let's be fair
The same problem is known on IE 6 since April 2006
-
Re:Security patches
I don't know about patches, but the first vulnerability in the final version is already out.
-
Re:Security patches
... zero
-
Re:That loud rattling sound?
I don't know about patches, but the first vulnerability has been announced
-
patch as patch can
secunia has already reported the first vulnerability of the IE7.
-
Allready hacked!
*sigh*
http://secunia.com/advisories/22477/ -
Re:Restrictive Firewall, not enough for exploits
a port-80 restrictive firewall
And how would this prevent exploits in applications that can use the port 80, like browsers ?
Sites like http://secunia.com/ are full of reasons why a restrictive firewall is clearly not enough. -
Re:DUCK - Ballmer has found the chair clipart
Too late, I scrolled after the crapvert and it says:
The flaw affects PowerPoint 2000, PowerPoint 2002 and PowerPoint 2003, as well as many versions of the Office suite, Secunia said. Its security advisory can be found here:
http://secunia.com/advisories/22394/ -
here ya go
http://www.vnunet.com/vnunet/news/2126479/malicio
u s-trojan-infects-windows-media-player
http://news.com.com/2100-7349_3-5211168.html
http://secunia.com/advisories/20626/
The truly scary thing is that prior to May 2005 http://support.microsoft.com/kb/892313 WMP left you vulnerable to the DRM-based viruses even if you'd explicitly told it not to auto-download DRM code!! -
Re:ActiveX
New IE Method Vulnerability at secunia.com.
It stated that "Internet Explorer daxctle.ocx "KeyFrame()" Method Vulnerability - nop has discovered a vulnerability in Internet Explorer, which can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a memory corruption error in the Microsoft Multimedia Controls ActiveX control (daxctle.ocx) in the "CPathCtl::KeyFrame()" function. This can be exploited by e.g. tricking a user into viewing a malicious HTML document passing specially crafted arguments to the ActiveX control's "KeyFrame()" method.
Successful exploitation allows execution of arbitrary code."For more information, refer -> http://secunia.com/advisories/21910/
It's becoming more and more obvious that:
"ActiveX is IE's major vulnerability to drive-by downloads, covert spyware/adware installs, and malicious attempts to take over your computer. Because IE is the dominant browser, it is the target of most malicious coders."
So, FIREFOX EVERYONE??!!
-
Number of critical vulnerabilities
Pure numbers of vulnerabilities mean nothing. What matters is the breakdown of the vulnerabilities. For exaple, Secunia reports 21% of critical vulnerabilities on Firefox, that may allow remote access. The same number for IE is 56% (This is for 2006).
This means that IE has more than twice the number of vulnerabilities leading to a complete system compromise than Firefox.
More info here:
http://secunia.com/product/11/?task=statistics_200 6 -
Re:Not so bleak
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched.
Why didn't you quote Opera 9's statistics from Secunia too?Affected By 1 Secunia advisories, Unpatched 0% (0 of 1 Secunia advisories)
-
Opera wins :-)
Have a look at Opera 9.x's advisory list
Affected By 1 Secunia advisories
Unpatched 0% (0 of 1 Secunia advisories)
Most Critical Unpatched
There are no unpatched Secunia advisories affecting this product, when all vendor patches are applied. -
Not so bleakFrom the article (emphasis mine):
That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox.
So Firefox is still less targeted than IE & also gets fixed much sooner.
When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical." -
Not so bleakFrom the article (emphasis mine):
That said, Internet Explorer remains the most popular target for attacks, with 69 percent of all browser attacks targeted specifically at that browser alone. 20 percent of the attacks monitored during the period in question were targeted at Firefox.
So Firefox is still less targeted than IE & also gets fixed much sooner.
When it comes to patching, all of the browsers are improving. Firefox is the fastest to get its patches out, with a one-day window of exposure. Opera had a two-day window of exposure, down from 18 days during the last half of 2005. The window of exposure for Safari is up to five days (from zero), while Internet Explorer typically has a nine-day window, down from 25 days in the previous study.
If we look to Secunia, we see that IE has 106 advisories, 19 of which are unpatched. Firefox has 3 of 36 unpatched. The most sever unpatched advisory in IE is rated as "extremely critical." In Firefox, as "less critical." -
September 13, not September 15Since this was dated September 17, make that four days ago, not two.
Check the date on the xsec.org page referred to, daxctle2.c. milw0rm 2358 was a re-publication of this, also posted up on 09/13/2006. Republication happened at other exploit advisory sites as well, such as the SecuriTeam(TM) site, where, for some strange reason, the exploit was published twice, redundantly.
The formal vulnerability advisories SA21910 and FrSIRT/ADV-2006-3593, from Secunia and FrSIRT respectively, posted on 09/14/2006, confirmed and extended this, since both groups developed internal versions of daxctle2.c which were reliably effective in compromising fully patched instances of IE6.0 on WXPSP2.
However, both these advisories made it clear that the root cause flaw was in the ActiveX component that was so successfully and famously attacked by HD Moore in July.
Friday's MS advisory, Microsoft Security Advisory (925444), both clarified matters and proposed two workarounds that might be of more use than shutting down ActiveX or fervent prayer, namely:- Disable just the DirectAnimation Path ActiveX Control in the Registry, or
- Modify the ACL of the actual file Daxctle.ocx to be more restrictive.
-
Re:Duh... It's so obvious...
Unpatched 10% (1 of 10 Secunia advisories)
Oooooh! Unpatched vulnerability!! Eek!
Sendmail fails to log all relevant data
Critical: Not critical
Description:
Sendmail fails to log all details about connections if supplied with an IDENT of more then 95 characters.
It is possible to hide your identity from the sendmail log, if you supply an IDENT that is more than 95 characters, information about your identity however will still be written in any email you may sent. The problem is that someone may try to footprint your system, but when you check your log files, you will not be able to find the IP address and hostname of the attacker (or spammer).
Solution:
The easiest way to log these data is by enabling logging on the firewall and making sure that the time is synchronised on the firewall and mail server.
-
Re:Trust / No Trust
-
Re:Trust / No Trust
-
Re:SHA1SUMs
...it's kind of a joke that you would want to verify the source files to make sure they weren't tampered with, since I doubt a virus can be embedded into a PDF file.
http://secunia.com/advisories/16466
Stranger things have happened. -
Well, lot's really
Security:
Take these two graphs for example - http://secunia.com/graph/?type=cri&period=2005&pro d=11
and http://secunia.com/graph/?type=cri&period=2005&pro d=4227
In short, you'll notice that although Firefox suffered more vulnerabilities, the percentage of 'severe' flaws are noticeably lower than those of IE. In other words, a bug which could expose browser history is far less significant than one which allows arbitrary code execution.
Oh, and not to mention the extensive library of browser extensions Firefox has for it. Adblock plus for example (http://adblockplus.org/) - you never have to see ads again! In fact, if you really can't be parted from your beloved IE, there's even a "View in IE" extension - http://ieview.mozdev.org/
In other words, Firefox is the "dogs bullocks", as we say in the UK. Get involved! -
Well, lot's really
Security:
Take these two graphs for example - http://secunia.com/graph/?type=cri&period=2005&pro d=11
and http://secunia.com/graph/?type=cri&period=2005&pro d=4227
In short, you'll notice that although Firefox suffered more vulnerabilities, the percentage of 'severe' flaws are noticeably lower than those of IE. In other words, a bug which could expose browser history is far less significant than one which allows arbitrary code execution.
Oh, and not to mention the extensive library of browser extensions Firefox has for it. Adblock plus for example (http://adblockplus.org/) - you never have to see ads again! In fact, if you really can't be parted from your beloved IE, there's even a "View in IE" extension - http://ieview.mozdev.org/
In other words, Firefox is the "dogs bullocks", as we say in the UK. Get involved! -
Re:get a grip peeps
MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
You say that, but have you looked at the stats? IIS 6.0 is has had -far- fewer vulnerabilities in its lifetime than Apache 2.0.
Apache 2.0: http://secunia.com/product/73/
IIS 6.0: http://secunia.com/product/1438/
So really, if you're choosing between Apache and IIS on the basis of security, it's hard to argue in favour of Apache these days. IIS 4 and 5 were rightly scoffed at for poor security (and it didn't help that Windows 2000 had IIS enabled by default), but that's long since changed, and even if you don't ever plan on using Microsoft products, they should at least be credited for making IIS a lot more secure. -
Re:get a grip peeps
MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
You say that, but have you looked at the stats? IIS 6.0 is has had -far- fewer vulnerabilities in its lifetime than Apache 2.0.
Apache 2.0: http://secunia.com/product/73/
IIS 6.0: http://secunia.com/product/1438/
So really, if you're choosing between Apache and IIS on the basis of security, it's hard to argue in favour of Apache these days. IIS 4 and 5 were rightly scoffed at for poor security (and it didn't help that Windows 2000 had IIS enabled by default), but that's long since changed, and even if you don't ever plan on using Microsoft products, they should at least be credited for making IIS a lot more secure. -
Re:get a grip peeps
You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
I am looking. What am I supposed to see? -
Re:get a grip peeps
You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
I am looking. What am I supposed to see? -
Re:get a grip peeps
You're right about MS. That is why people don't use MS as an internet platform if they can help it. Look it *nix versus MS Server and Apache versus IIS. MS products are easy to use but I wouldn't be to happy for them to be used for my apps as they aren't secure or stable enough, common requirements for enterprise products.
I am looking. What am I supposed to see? -
RedHat as a stable platform
There are already plenty of free Linux distributions that work OK. RedHat has two things going for it that keep everyone I know with licenses buying them.
The web-based management tools that are available as part of the RedHat network are pretty good. You can inventory all your machines, see who hasn't been keeping their systems patched (and push updates to them if you want), find out exactly what hardware is in the system, all sorts of useful things right from the admin web interface. I've even used it to lookup the Dell service tag for a system. One place I worked with found it worth buying the RedHat subscription just because of how much these features reduced their Linux TCO by letting administrators manage more machines efficiently.
The second thing is the more important one. RedHat puts a lot of work into keeping their Enterprise products stable for a long time period. That's one of the reasons so many application vendors have standardized on them: they don't have to worry about totally uncontrolled package upgrades.
An example will illustrate what I'm talking about here. Some months ago, I was doing work on a RHEL machine that involved installing some PHP software. When reading through the requirements, I discovered there was a security exploit in the version of PHP installed on that system (php-4.3.9), and got a bit paranoid about it. Upon checking further, I discovered that RedHat had backported the security fixes into the older version of PHP they ship with the system, and the exploit I was concerned about was in fact closed. Most vendors in this situation would have just upgraded everyone to php-4.3.10 because backporting takes considerable resources to do, leaving the customers exposed to whatever functional differences there are between 4.3.9 and 4.3.10.
It's fine for my PCs, but when I'm in a situation where I'm supporting lots of machines, the thought of users being to get a whole new set of packages with who knows what changes just by running some variant on apt-get gives me the willies. RedHat's pace is just fast enough to stay useful in a corporate environment, while going out of their way not to upgrade any more than is necessary. I'm curious how the Ubuntu server plays out in this situation; the desktop version is clearly far too quick in its pace of upgrades for any of the RedHat customers I deal with to be comfortable with it. -
Re:Think of the Children!
Please tell me you are being sarcastic. There have been plenty of vulnerabilities and patches for OS X. http://secunia.com/product/96/ . I'm so sick and tired of the myth that OS X is the "most secure" and "unhackable". It's an Operating System just like Windows and Linux and it's not perfect either. You can love OS X for various reasons but NOT because it's "unhackable".
-
Re:You know it's true.
Second, Microsoft makes one billion dollars in profit every month. In my opinion, they should be held to a higher standard.
First off, no they don't. They come close to it, I'll give you that, but not it's not quite a billion.
Secondly, the Mozilla Foundation make MILLIONS OF DOLLARS every - who knows what. They aren't saying. (Because they're the Mozilla Foundation and not the Mozilla Corporation so they don't have to. But it's estimated to be somewhere in the order of $70 million.)
So, when you realize Microsoft makes far more products than just IE (including Office, the XBox, various games), both Mozilla and Microsoft are likely using roughly the same amount of resources to secure both browsers.
Third, you're grossly misrepresenting most Firefox users, who don't expect Firefox to be perfect.
Perfect? No. I expect there to be rendering glitches and other errors. I expect there to be some bugs.
I ALSO expect there not to be a good 10 critical security flaws (which, according to other commenters, weren't all actually fixed in this release) being found every couple of months.
We're up to somewhere around 40 critical security vulnerabilities found since Firefox 1.5 was released. Critical in this case means "can run arbitrary software without user intervention". The number of security flaws found in Firefox is, to most users, quite troubling.
Fourth, Firefox is a safer browser to browse the web with, whether you like it or not.
Safer than IE? Sure, I'll buy that.
Safer than Opera? Definitely not. (There are currently 3 unpatched known vulnerabilities in Firefox, compared with none in Opera.)
Safer than Safari? Safari has 2 unpatched flaws, both of which are rated "not critical".
Safer than Konqueror? Konqueror has only one unpatched vulnerability (rated "less critical").
So, Firefox may be safer than IE, but it's less safe than basically every other browser on the market other than IE. -
Re:You know it's true.
Second, Microsoft makes one billion dollars in profit every month. In my opinion, they should be held to a higher standard.
First off, no they don't. They come close to it, I'll give you that, but not it's not quite a billion.
Secondly, the Mozilla Foundation make MILLIONS OF DOLLARS every - who knows what. They aren't saying. (Because they're the Mozilla Foundation and not the Mozilla Corporation so they don't have to. But it's estimated to be somewhere in the order of $70 million.)
So, when you realize Microsoft makes far more products than just IE (including Office, the XBox, various games), both Mozilla and Microsoft are likely using roughly the same amount of resources to secure both browsers.
Third, you're grossly misrepresenting most Firefox users, who don't expect Firefox to be perfect.
Perfect? No. I expect there to be rendering glitches and other errors. I expect there to be some bugs.
I ALSO expect there not to be a good 10 critical security flaws (which, according to other commenters, weren't all actually fixed in this release) being found every couple of months.
We're up to somewhere around 40 critical security vulnerabilities found since Firefox 1.5 was released. Critical in this case means "can run arbitrary software without user intervention". The number of security flaws found in Firefox is, to most users, quite troubling.
Fourth, Firefox is a safer browser to browse the web with, whether you like it or not.
Safer than IE? Sure, I'll buy that.
Safer than Opera? Definitely not. (There are currently 3 unpatched known vulnerabilities in Firefox, compared with none in Opera.)
Safer than Safari? Safari has 2 unpatched flaws, both of which are rated "not critical".
Safer than Konqueror? Konqueror has only one unpatched vulnerability (rated "less critical").
So, Firefox may be safer than IE, but it's less safe than basically every other browser on the market other than IE. -
Re:You know it's true.
Second, Microsoft makes one billion dollars in profit every month. In my opinion, they should be held to a higher standard.
First off, no they don't. They come close to it, I'll give you that, but not it's not quite a billion.
Secondly, the Mozilla Foundation make MILLIONS OF DOLLARS every - who knows what. They aren't saying. (Because they're the Mozilla Foundation and not the Mozilla Corporation so they don't have to. But it's estimated to be somewhere in the order of $70 million.)
So, when you realize Microsoft makes far more products than just IE (including Office, the XBox, various games), both Mozilla and Microsoft are likely using roughly the same amount of resources to secure both browsers.
Third, you're grossly misrepresenting most Firefox users, who don't expect Firefox to be perfect.
Perfect? No. I expect there to be rendering glitches and other errors. I expect there to be some bugs.
I ALSO expect there not to be a good 10 critical security flaws (which, according to other commenters, weren't all actually fixed in this release) being found every couple of months.
We're up to somewhere around 40 critical security vulnerabilities found since Firefox 1.5 was released. Critical in this case means "can run arbitrary software without user intervention". The number of security flaws found in Firefox is, to most users, quite troubling.
Fourth, Firefox is a safer browser to browse the web with, whether you like it or not.
Safer than IE? Sure, I'll buy that.
Safer than Opera? Definitely not. (There are currently 3 unpatched known vulnerabilities in Firefox, compared with none in Opera.)
Safer than Safari? Safari has 2 unpatched flaws, both of which are rated "not critical".
Safer than Konqueror? Konqueror has only one unpatched vulnerability (rated "less critical").
So, Firefox may be safer than IE, but it's less safe than basically every other browser on the market other than IE. -
Re:Security?!
SEcurity is very important - even more since several CMS integrate forums, up/download facilities, online chat and mailers. Here is the most recent Secunia report an my favorite CMS PostNuke: http://secunia.com/product/350/ Greetings, Chris
-
there will always be more flaws.
... why does there have to be a news story about every one?
if you are really concerned, rather try these rss feeds:
http://www.us-cert.gov/channels/techalerts.rdf
http://secunia.com/information_partner/anonymous/o .rss
-
Re:I wonder...
"Oh, and no exploit on any non-Windows system has ever allowed an attacker to get administrator access by looking in a fracking picture like one MS exploit did."
The WMF vulnerability did not escalate priviledges. It ran code with the rights of the logged on user. As for non-Windows systems, there have been plenty of vulnerabilities that can be trigggered by looking at a picture, like this, and this, and this and this. I'm sure I could have found more, but I didn't feel like going past page two of my Google search.
"Either way, I mostly use FreeBSD now anyways."
As long time FreeBSD user, I must say I'm sorry to hear that. -
Re:I wonder...
"Oh, and no exploit on any non-Windows system has ever allowed an attacker to get administrator access by looking in a fracking picture like one MS exploit did."
The WMF vulnerability did not escalate priviledges. It ran code with the rights of the logged on user. As for non-Windows systems, there have been plenty of vulnerabilities that can be trigggered by looking at a picture, like this, and this, and this and this. I'm sure I could have found more, but I didn't feel like going past page two of my Google search.
"Either way, I mostly use FreeBSD now anyways."
As long time FreeBSD user, I must say I'm sorry to hear that. -
Re:Security doesn't start at rootkit detection
>currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. I
You'd be the last to know. First there would be the person who discovered the remote-execution bug, then depending on that person's honesty there would be either Microsoft or the underground zero-day market followed by botnet builders, and only then maybe the rest of us.
But since we don't know for sure that the IE memory overwrite bug in fully patched systems is actually exploitable, the coast may be clear right now in terms of publicly disclosed critical vulnerabilities.
>Don't run everything you download from an unrelyable source
Absolutely sound advice but harder to follow than it sounds like, because you have to know who's reliable. That changes from year to year (download.com used to be OK) and from day to day (open source distribution points do get compromised, and backdoored programs uploaded). -
Re:Security doesn't start at rootkit detection
Now, there are currently no unpatched remote exploits or program-runs-crap-by-itself bugs I'm aware of. In other words: You have to start it!
Oh, really?
Not to mention that if they have to implement double-digits worth of patches a month you have to suspect that there are, indeed, unknown (by the public) security holes to be found, and which may have already been found by blackhats.
Antimalware tools are akin to snake oil and herbal remedies. No sane system should need that kind of overhead, and I've said it before: once you're infected, the only way of going back to a "known clean" configuration is a wipe and restore from "known good" media, or a complete checksum of binary signatures from a read-only known-good boot medium. The only thing antimalware does is make you feel safe, much like the Windows Security Center logo. Once your system is infected, a good root-kit is unremovable, and even garden variety uncommon malware may not be detected by the popular virus scanners; this is exactly what happened to Valve with the Half-Life 2 code theft. Someone designed a custom worm to penetrate their network and e-mail out important corporate files, and they got away with it.