Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List

← Back to Stories (view on slashdot.org)

Microsoft Escapes Kaspersky's Top 10 Vulnerabilities List

Posted by timothy on Saturday November 3, 2012 @03:19AM from the or-maybe-it-goes-without-saying dept.

An anonymous reader writes "Security firm Kaspersky has released its latest IT Threat Evolution report. There were some interesting findings in the report, as always, but the most interesting thing that stuck out was all the way at the bottom: 'Microsoft products no longer feature among the Top 10 products with vulnerabilities. This is because the automatic updates mechanism has now been well developed in recent versions of Windows OS.'"

21 of 112 comments (clear)

Min score:

Reason:

Sort:

In other news MicroSoft purchased security firm... by Anonymous Coward · 2012-11-03 03:33 · Score: 2, Funny

And in other news MicroSoft purchased security firm Kaspersky for undisclosed billions of dollars in gold...
[/humor] - just kidding!
Surprised? by Horshu · 2012-11-03 03:34 · Score: 3, Interesting

Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.
1. Re:Surprised? by Colonel+Korn · 2012-11-03 03:41 · Score: 5, Insightful
  
  Less surprising is that the top vulnerabilities are Oracle's Java and Adobe products. In fact, Adobe can claim 5 of the top 10. Too bad I still have Reader and Flash on my system, but Java was purged from my system about a week after I stopped doing Java development.
  Just to reinforce the picture of Java as crapware, it blows my mind that Oracle packages shit like the Ask Toolbar in the regular security updates and you have to uncheck a box in order to prevent its installation. Oracle is a Zynga-level company.
  
  --
  "I zero-index my hamsters" - Willtor (147206)
2. Re:Surprised? by Deathlizard · 2012-11-03 03:52 · Score: 2
  
  I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.
  Oracle has no clue. If anyone reading this works for Oracle, I want you to do the following. Also, If you know someone who works for Oracle. Please forward this to them and ask them kindly to follow the instructions below.
  1) Walk into the office of the person who writes the update system for Java.
  2) Scream at the top of your lungs "AUTOMATICALLY INSTALL UPDATES WITHOUT PROMPTING!!"
  3) Kick person as hard as you can in the Nether Reigons.
  4) Repeat step 2 and 3, but Scream "AUTOMATIC 64Bit JAVA UPDATER" Instead.
  5) Repeat entire process daily until projects mentioned in #2 and #4 are completed.
  Either the fear of getting kicked in the beanbag will motivate the person to make an update process that actually works, or the replacement coder hired to fill in for said worker due to work related groin injuries will.
  
  --
  In Soviet Russia, Trojan exploits YOU!
3. Re:Surprised? by malakai · 2012-11-03 04:11 · Score: 4, Interesting
  
  They still do it. See here: http://www.java.com/en/download/faq/ask_toolbar.xml
  From Java.com:
  
  The Ask Toolbar is integrated with the Java download. During the installation of Java, users are presented with an option of downloading the Ask Toolbar
  Also, although it's fixed now, for a time, you couldn't direct link to the Win x64 JRE. It forced you through a page, that would check your browser and give you a x32 if your browser was 32bit. I used to have to fire up IE 64 on Server 2008 to grab a JRE to install on my 64bit os.
  
  --
  -Malakai
  A Dragon Lives in my Garage
4. Re:Surprised? by Jesus_666 · 2012-11-03 04:32 · Score: 2
  
  Given that the JRE comes with a complimentary browser toolbar that you have to manually uncheck in the installer (for each update) and that Flash can't be installed without closing every browser, I want neither of those components to automatically update itself. Asking me is fine but as long as their update routines want to install crapware (or require manual intervention in the case of Adobe) fully automatic updates don't seem like a particularly good idea.
  
  --
  USE HOT GRITS WITH STATUE OF NATALIE PORTMAN (NAKED AND PETRIFIED)
5. Re:Surprised? by Blakey+Rat · 2012-11-03 04:49 · Score: 3, Interesting
  
  I'll at least say that Adobe is getting it. All of their newest versions of reader and Flash have the option to automatically update without prompting.
  It claims to. I've never seen it actually successfully pull it off.
  Even worse, it only seems to even *check* for updates when I reboot-- so like maybe twice a month, max.
  
  --
  Comment of the year
Apple Shows Up Twice? by jarich · 2012-11-03 03:37 · Score: 3, Interesting

Looks like MS is being dethroned. Between Apple, Oracle, and Adobe it's not looking good.

--
Agile Artisans
Fluff. by bmo · 2012-11-03 03:53 · Score: 3, Informative

This article is nothing but Softie cheerleading without any meat. You have to go to the report itself for any real facts.
Indeed, this paragraph explains *why* Java exploits are common in the wild.

Java vulnerabilities were exploited in more than 50% of all attacks. According to Oracle, different versions of this virtual machine are installed on more than 1.1 billion computers. Importantly, updates for this software are installed on demand rather than automatically, increasing the lifetime of vulnerabilities. In addition, Java exploits are sufficiently easy to use under any Windows version and, with some additional work by cybercriminals, as in the case of Flashfake, cross-platform exploits can be created. This explains the special interest of cybercriminals in Java vulnerabilities. Naturally, most detections are triggered by various exploit packs.
In other words, if you do auto-updates of java and stuff like it, you are far less vulnerable. I don't think Windows even has a facility to do this, one must roll one's own for each package.
Keeping up to date with Oracle Java on Debian style systems:
http://www.webupd8.org/2012/09/install-oracle-java-8-in-ubuntu-via-ppa.html
--
BMO
Re:Windows is no longer relevant by jones_supa · 2012-11-03 04:01 · Score: 5, Insightful

Windows 7 is the best desktop OS. Secure enough, runs fast, smooth, stable, and all software and hardware works. OSX is pretty good too, but you have to buy expensive hardware to get it, and the software selection (especially regarding games) is more limited.
auto-updates of java by Tim+Ward · 2012-11-03 04:13 · Score: 4, Informative

But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.
Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.
1. Re:auto-updates of java by Carcass666 · 2012-11-03 04:33 · Score: 4, Informative
  
  But you can't do auto-updates of Java, otherwise other stuff on your machine stops working.
  Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured, so you end up with several versions on your machine - allowing auto-update is a recipe for utter chaos.
  This. For those running eBusiness Suite and also have to use sites with applets, companies are caught between the rock of having to update Java to keep your browsers happy and the hard place of incompatibility of applications with newer versions of Java. Yes, you can load multiple versions of Java, but keeping things automatically updated, and keeping each application/browser using the correct JVM? Ouch. The recent issues over the past few months with poorly executed changes in the security model (broken applets that leverage AJAX), Apple's insistence (now abandoned) on distributing its own, outdated Java, and the mediocre UI stack make Java on the desktop a nightmare. I love my glassfish servers, but Java needs to be abandoned on the desktop. I think most people have given up on "write once, run anywhere", they would settle for "write once, run consistently". The Java brand suffers because of the desktop nonsense, which is a shame because it is so powerful and useful on servers.
2. Re:auto-updates of java by jbengt · 2012-11-03 05:10 · Score: 4, Informative
  
  #Java is sufficiently flaky that it's very common for particular applications to need particular versions very carefully installed and configured . .
  
  Exactly. I do work for a client that uses Primavera - which we have to access thru a browser for all records and communication on their construction projects. A recent update to their installation required us to install a very particular Java version that is not at all up-to-date or secure, fuck whatever else we might need Java for. The kicker is that both Java and Primvera are Oracle products.
Re:Windows is no longer relevant by cvtan · 2012-11-03 04:25 · Score: 5, Funny

You are not supposed to do developing at all. Use your smartphone to watch TV and movies as God intended.

--
Sorry, but gray text on gray background is making my eyes bleed.
Re:Windows is no longer relevant by Sir_Sri · 2012-11-03 04:45 · Score: 5, Interesting

This is one of those things that will be hard to judge.
First off, there are more android installs than iOS, and a lot of them are older versions which aren't getting updates etc. I see what google et.al. are doing but that market fragmentation will eventually be a security nightmare.
Secondly, MS moves something like 250 million copies of windows a year, and yes, turnover is going down, but that means there are still a billion windows PC's in the wild. The smartphone market has much higher turnover, in part because of carrier subsidies and the noticeable performance improvements still happening, and in part because cell phones are just much more likely to physically fail than a desktop, so I would be surprised if there are 300 million iOS devices in the wild at all. Officially they've sold 400 million iOS devices (http://news.cnet.com/8301-13579_3-57511323-37/apple-by-the-numbers-84m-ipads-400m-ios-devices-350m-ipods-sold/) through june, but a LOT of those are replacements for older iOS devices at this point (it would be a bit like MS talking about how many copies of windows it has sold since 2007 versus how many are actually in use).
Lastly, a lot of mobile devices may have vulnerabilities than can be exploited but that don't put users at risk because users don't behave in a way that exposes them to much risk. If you aren't regularly grabbing new apps, or trying to click links in e-mails or the like, well, you're not a power user but you're not at a great deal of risk either. The only person on an island doesn't really gain much by locking their door sort of thing. And we all know hackers are after things worth money. Desktops are worth money, banking information is worth money, (and banking is becoming more popular on smartphones to be sure), pictures of naked women are worth money (and those are certainly on phones....), but it's hard to know if hackers, especially serious ones, are going to refocus on desktops, because now if you have a desktop you're probably a serious productivity person, which means you have something worth stealing.
Re:Windows is no longer relevant by ILongForDarkness · 2012-11-03 04:47 · Score: 4, Interesting

Well to be fair for the the majority of /. readers we aren't in the cheap desktop market. For one reason or another we'll find a way to drop 2k+ on our laptops and desktops. We're devs, or gamers, or video processing nerds, or guys that measure their worth by their massive stash of pirated material and seed ratio etc. Either way we seem to all want some combination of SSD, big disk capacity, massive monitor, top of the line CPU, etc. Apple gear might not be great value but they don't target the low end of the market and we generally aren't there anyways.
Re:Windows is no longer relevant by Luckyo · 2012-11-03 05:07 · Score: 3, Informative

Not really, no. My current gaming rig cost me about 800€, my laptop was 350€ and my smartphone was 100€ (from store, not operator, no subsidy).
Quite a few of us like bang for a buck, rather then bang at any cost.
Re:Windows is no longer relevant by ILongForDarkness · 2012-11-03 05:59 · Score: 2

http://slashdot.org/
No, they're not getting it... by Aphrika · 2012-11-03 07:06 · Score: 3, Interesting

They don't understand that in businesses, you don't run users as admins, which is what the Adobe Updater appears to require for autoupdates.

What they need to do is bring out a decent admin tool like WSUS for their products which enables centralized administration. Ditto Apple, Firefox, Java and a truckload of other software that would probably have a bigger market share if they just understood that where business is concerned with patching and security; Microsoft 'just gets it'. That's one of the key reasons why IE is the business browser of choice, because patching it is easy and quick, not convoluted and frustrating.

That said, it is possible to centrally manage Macs, to a degree...
1. Re:No, they're not getting it... by random_nb · 2012-11-03 13:09 · Score: 2
  
  Reader's automatic updater works without admin rights on Vista or newer, but requires a background service. Flash Player's works on XP or newer without admin rights, and fires from Windows Task Scheduler just like Google Chrome's.
Windows safer says Microsoft partner .. by dgharmon · 2012-11-03 21:11 · Score: 2, Insightful

"Microsoft products no longer feature among the Top 10 products with vulnerabilities"

"Kaspersky Lab is a Microsoft Gold Certified Security Solutions Partner and is currently working on several joint projects with Microsoft". link

--
AccountKiller