Slashdot Mirror

← Back to Stories (view on slashdot.org)

5,198 Software Flaws Found in 2005

Posted by Zonk on from the better-to-find-them-than-not dept.

An anonymous reader writes "Security researchers uncovered nearly 5,200 software vulnerabilities in 2005, almost 40 percent more than the number discovered in 2004, according to Washingtonpost.com. From the article: 'According to US-CERT...researchers found 812 flaws in the Windows operating system, 2,328 problems in various versions of the Unix/Linux operating systems (Mac included). An additional 2,058 flaws affected multiple operating systems.'"

5 of 257 comments (clear)

  1. Axe Grinding by alanw · · Score: 5, Informative
    Brian Krebs is clearly either extremely stupid, or has an axe to grind. If you look at the Cert Cyber Security Bulletin 2005 Summary, you can see that many of the lines in it end in "(Updated)" A simple count of lines gives the results that Brian quotes, however there are far more "(Updated)" entries in the Unix/ Linux Operating Systems section. Removing these lines gives the following results:
    including excluding
    "(Updated)" "(Updated)"
    Windows 813 671
    U/L 2328 891
    Multiple 2057 1512

    (sorry about the spacing - can't find any way of doing it)

    greatly reducing the proportion of Unix/Linux vulnerabilities

    1. Re:Axe Grinding by ginotech · · Score: 5, Insightful

      That is messed up. You're right, simply updating a vulnerability doesn't make it a new one. You know why Linux and co. have more updated ones, though? Because people can actually see the bugs in the code!

    2. Re:Axe Grinding by click2005 · · Score: 5, Interesting

      Where is the mention of seriousness of the flaws? How many allow root access or something else serious/critical instead of "clicking this button makes the tool tab disappear" or something.

      They also fail to mention that a lot of these flaws are not in the OS itself (or essential components) but in 3rd party software.

      A lot of the software isnt even included in a standard installation.

      --
      I am a free slashdotter. I will not be modded, blogged, DRM'd, patented, podcasted or RFID'd. My life is my own.
  2. Explorer vs Firefox by dynamo52 · · Score: 5, Funny

    Firefox: 1
    Explorer: 45
    Explorer wins!

    --
    Like this comment? I accept Bitcoin! - 153sc8UUBXyp12ofQqfAWDmJrzyiKCYC1x
  3. Re:The state of security by canuck57 · · Score: 5, Interesting

    For gods sake, if you're not writing an operating system you have no business using C. Read me lips: YOU CAN'T WRITE SECURE C.

    I beg to differ, C can be real secure if written that way. The problem comes in that most people do not know how C works inside yet they code something. Then of course to your next point:

    Code reviews may help but they wont remove everything.

    This would solve alot of issues. How many environments routinely run bounds checking and code reviews for functionality AND security? How many people who really understand C reviewed the code?

    And security problems are not just C problems, any language like Java, .NET, PHP, C# can also have their issues. CERT and others concentraight on the operating systems that we all use but generally skirt applications security which can be very bad. Job schedulers written in Java that allow root access, data warehouses that give up encoded (but not encrypted) UIDs/passwords ovr the net, the list is long. And how many people use unencrypted telnet/ftp/imap/pop3 even though secure options exist? I know senior NT and UNIX admins that don't know what a key pair is let alone what a certificate chain is. But they have a half dozen certifications.

    But secure code begins with it's priority, in design and takes more time to code no mater what language you use. Having knowledgable coders helps alot. But we are in a day and age where we only want cheap coders. And here is a hint, cheap coders are never good coders or they would not be cheap. There in is the issue, more time is something people do not want to do either in training, coding or review.