Slashdot Mirror

← Back to Stories (view on slashdot.org)

5,198 Software Flaws Found in 2005

Posted by Zonk on from the better-to-find-them-than-not dept.

An anonymous reader writes "Security researchers uncovered nearly 5,200 software vulnerabilities in 2005, almost 40 percent more than the number discovered in 2004, according to Washingtonpost.com. From the article: 'According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems.'"

8 of 257 comments (clear)

  1. Re:Axe Grinding by someone300 · · Score: 4, Interesting

    Also, isn't this more of a survey of the security flaws of the software running on the operating systems, rather than the operating systems themselves anyway? The summary linked article seems to imply that it's an OS flaw.

    7-Zip isn't an OS vulnerability, nor is 4d web star.

    Couldn't this be tilted against linux/unix/whatever due to the larger amount of crappy server/networking software available for it?

  2. Re:Axe Grinding by click2005 · · Score: 5, Interesting

    Where is the mention of seriousness of the flaws? How many allow root access or something else serious/critical instead of "clicking this button makes the tool tab disappear" or something.

    They also fail to mention that a lot of these flaws are not in the OS itself (or essential components) but in 3rd party software.

    A lot of the software isnt even included in a standard installation.

    --
    I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
  3. shocking numbers by CDPatten · · Score: 4, Interesting

    "researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). "

    If we listened to just the media you would have thought Windows has thousands and the others only had a few dozen. I promise I'm not trolling, but do those numbers stop and make anyone on the site re-think stances? We all saw the numbers that put Firefox with more holes then IE earlier this year too. Could MS be doing a better job, but just getting hammered in the press (who are mostly Apple users by the way)? MS holes get lots of press while other operating systems get a free pass.

    "I know Microsoft issued a lot of patches this year that fixed quite a few vulnerabilities ... but 812? My suspicion has always been that Microsoft sometimes fixes multiple flaws with a single patch, even though its advisories may make it appear as though the patch addressed a singular issue. "

    MS always has an attached KB article that details everything their path does. I don't think that statement is denial.

    I find myself defending MS allot on this site, and it's nice to have some numbers from a respected neutral organization to debate some of you guys with. I'm sure after this piece they will be re-classified as MS zealots, but what can ya do.

  4. Re:The state of security by Decaff · · Score: 2, Interesting

    because C and ASM are still the only choices for coding performance sensitive applications

    No. If you look at an area where performance and reliability is critical, you will find that Ada is the dominant language (with Java having increasing use)

  5. Re:Axe Grinding by twiddlingbits · · Score: 4, Interesting

    As someone pointed out some of these "flaws" are not OS flaws but issues with application software, and the Severity level are not indicated. So, until the list is sorted accurately it's hard to tell if Win of *NIX was better.

    The way I read the results, *NIX list cover the whole set of OSes of this type. There are at least three major versions of UNIX (Solaris, AIX, HP-UX) and multiple releases/versions of each in production. I know that Solaris 8,9 and 10 are all still supported by Sun in 2005 and that is a very big base of installed servers. There are about a dozen LINUX distros, some with serveral releases/versions in production. The Windows numbers cover XP, Win2K, Win2K server, Win2003server. If you count desktops, the Windows installed base is bigger meaning a flaw may affect more users.

    However, until someone publishes a more detailed study,with the methodology described, we are ALL just speculating.

  6. Re:The state of security by canuck57 · · Score: 5, Interesting

    For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C.

    I beg to differ, C can be real secure if written that way. The problem comes in that most people do not know how C works inside yet they code something. Then of course to your next point:

    Code reviews may help but they wont remove everything.

    This would solve alot of issues. How many environments routinely run bounds checking and code reviews for functionality AND security? How many people who really understand C reviewed the code?

    And security problems are not just C problems, any language like Java, .NET, PHP, C# can also have their issues. CERT and others concentraight on the operating systems that we all use but generally skirt applications security which can be very bad. Job schedulers written in Java that allow root access, data warehouses that give up encoded (but not encrypted) UIDs/passwords ovr the net, the list is long. And how many people use unencrypted telnet/ftp/imap/pop3 even though secure options exist? I know senior NT and UNIX admins that don't know what a key pair is let alone what a certificate chain is. But they have a half dozen certifications.

    But secure code begins with it's priority, in design and takes more time to code no mater what language you use. Having knowledgable coders helps alot. But we are in a day and age where we only want cheap coders. And here is a hint, cheap coders are never good coders or they would not be cheap. There in is the issue, more time is something people do not want to do either in training, coding or review.

  7. Re:The state of security by Decaff · · Score: 3, Interesting

    I was right with you until you mentioned Java, thanks for the laugh.

    http://mae.pennnet.com/Articles/Article_Display.cf m?Section=Articles&ARTICLE_ID=234337&VERSION_NUM=2 &p=32

    "Aonix engineers have demonstrated hard-real-time Java that reaches the run-time efficiency of C, which makes it able to meet the needs of command-and-control applications such as network-centric warfare, Future Combat Systems, and low-level telecommunications control-plane software, Aonix officials say."

    "The Navy Open Architecture guidelines also state that all new development will be done in Java and C++, he adds. "

    Laughing now? Or perhaps feeling a little foolish?

  8. Re:The state of security by lancejjj · · Score: 2, Interesting

    What? C? On Linux? Can you say S-L-O-W!? Just wait until you get some load on that server!

    The fact is that C -or- Java running on top of ANY operating system is a recipe for a performance disaster. Folks with the need for speed know this already.

    The only way to program for speed and performance is to:

      1. snip off any pins on the CPU that could induce interrupts

      2. write your program

      3. Make sure your program only uses the highest performing registers on the CPU

      4. Make sure your program performs no memory I/O once loaded, and performs no loops (a common error!)

      5. Convert your program into opcodes and poke them into memory byte by byte (Opcode mnemonics are for candy-assed wimps.)

      6. Execute your program!

    If your program & its data is too big and bloated to fit onto the CPUs internal registers, then your program will be TOO DAMN SLOW. Then it'll be time to build a custom circuit: keep it small, keep it cold, and keep it massively parallel.