I was actually surprised at who the top three were. They weren’t the three usual suspects. But in the case of the top two, they did, to their credit, roll out fixes within 30 days of disclosure.
So now that I’m killing you with suspense….
The gold star goes to Google Chrome, with 291 vulnerabilities discovered and fixed in 2012.
You didn’t see that coming, did you?
The silver star goes to Mozilla Firefox, with 257 vulnerabilities discovered and fixed in 2012.
Yes, another surprise.
And the bronze star, with 243 vulnerabilities discovered and fixed, was….
Not an Adobe product. Not a Microsoft product. And not an Oracle product, either.
It was Apple Itunes, with 243 vulnerabilities.
At #4, Adobe made its first appearance, with Flash Player, with a surprisingly low 67 vulnerabilities, narrowly beating out Oracle with its infamous Java JRE and its 66 vulnerabilities. Adobe Air grabbed the #6 slot, with 56, and then Microsoft made its first appearance at #7, with Windows 7.
Rounding out the top 10, we have Adobe’s infamous Acrobat Reader, with 43 vulnerabilities, Internet Explorer with 41, and Apple Quicktime with 29.
Keep in mind this is only the quantity, not the severity. If these scores were weighted by severity, the results would probably be different.
Now let’s talk about some lessons learned.
The first lesson is that the lighter the footprint you put on your servers, the less painful monthly maintenance will be. For the sake of argument, we’ll assume that Windows Server has a comparable number of vulnerabilities to the desktop version. If you add up Windows, Internet Explorer, the .Net Framework, and XML Core Services, you get a total of 106 vulnerabilities. Most servers don’t need any more than that, and it’s questionable whether many of them actually need even that. Internet Explorer is optional on servers now, and there’s really no reason for yor domain controller to be accessing the Web, so infrastructure servers like a DC could have had half those number of vulnerabilities. That’s good.
Now here’s the bad news. In the middle of the previous decade, I was using a wonderful tool called Shavlik Hfnetchk (later simply called Netchk) that pushed out Microsoft, Adobe, Mozilla, and pretty much every other update you could think of. It gave you a great deal of control too. I usually got approval to patch sometime on Friday afternoon, so I would push out the updates that afternoon, give the system all weekend to get the stuff into place, and I would schedule the first round of reboots to happen on Monday morning. I’d schedule a different round each day of the week. And I could cancel them on very short notice–minutes, on a bad day. With that tool, I was doing the work that used to take four people to accomplish manually, and I was doing it faster. I always gave myself a full week to patch our horde of 250-280 servers, but usually I got it done by mid-day on Wednesday.
Then Microsoft’s free WSUS became usable. Not great, but usable. The problem with it was that it only updates Microsoft products. But it’s free, so that’s the direction the industry went. We switched too. WSUS slowed me down, because its scheduling wasn’t anywhere near as powerful. And it also didn’t help me with the non-Microsoft products.
I argued that Netchk was worth paying for, but lost the argument.
The argument needs to be revisited. In 2009, Microsoft patches constituted the majority of what I pushed out. In 2012, that’s no longer true. So many organizations may have a false sense of security, if they are relying solely on WSUS. Especially on the desktop, which is where the bad guys are likely to make their first infiltration. It’s usually easier to attack the desktop and then jump over to the servers than to go directly after the servers.
Not looking at the whole picture always bites you in the end.