I was performing some background research on the number and severity of vulnerabilities produced by Apple, Microsoft and other vendors when I ran across something quite interesting. (BTW – I was researching the issue addressed in this research note for clients — whether or not antimalware software is recommended for enterprise Apple Macintosh endpoints.)
Microsoft, like any other software vendor, has vulnerabilities in its operating system and applications. In sheer quantity, Apple has had more vulnerabilities than Microsoft recently as shown in data from Secunia, IBM X-Force Labs and others: For example, this chart comes from Secunia’s Half Year Report 2010
However, in addition to the number of vulnerabilities, the severity of the vulnerabilities must also be considered. Here’s where the lab data shows an interesting trend. In 2010, Microsoft has a far larger percentage of vulnerabilities rated “critical” or “high” than any of the other vendors in its operating system software. This chart comes from IBM’s X-Force 2010 Mid-Year Trend and Risk Report
With Microsoft’s Secure Development Lifecycle in place and continuing to be refined over the past 7 years, why does the OS software being produced by Microsoft contain a significantly larger percentage of security vulnerabilities rated critical or high while other OSs are decreasing?
Here are some possibilities:
- The bad guys are getting better at finding more serious vulnerabilities on Windows. It’s possible, but wouldn’t they be getting better equally across all OS platforms? With its dominant market share, Windows is clearly a favorite target, Perhaps the bad guys are getting the upper hand
- The SDL is losing its effectiveness in finding the really difficult bugs. As the bad guys continue to evolve their abilities, the tools that enterprises use to detect vulnerabilities in code must also continually evolve.Vendors of commercial solutions such as HP Fortify, IBM, Veracode, Cenzic and others invest a significant amount of money evolving their tools. Many of the tools that Microsoft uses internally to detect vulnerable code are ‘home grown’.
- Diminishing returns from developers. Microsoft was an early SDL adopter, Even augmented with tools, it is possible that there is only so much that can be caught by developers before diminishing returns set in.
- Less emphasis on the SDL. I haven’t seen any evidence of this, but it is possible that Microsoft’s need to innovate quickly against Apple, Google and others has taken priority.
- Microsoft shipped a lot of new products in the late 2009/2010 timeframe so more critical vulnerabilities are expected: Windows 7, Windows Server 2008 R2, Office 2010, Exchange 2010, SharePoint 2010 and so on. Note that the data in the second figure is for the OS only. Windows 7 wasn’t entirely new – it was a facelift on Windows Vista with minimal kernel-level changes. Why would such a large percentage of critical and high vulnerabilities appear on an existing code base?
- IE 8 was introduced and is a “part of the OS”. Since IE 8 is treated as a part of the Windows OS and since IE 8 was new and included with Windows 7, this could skew the results as compared to other OSs where the browser is not counted as a part of the OS. Still, the percentages should help to compensate for volume.
I’m sure there are other possibilities. I’d be interested in what others believe might be the cause of this.