A decade of vulnerabilities and predictions for 2012

Since 2001, Spanish security firm S21sec has been been compiling a database of vulnerabilities detected by themselves and those reported by a great number of sources which include software developers, vulnerability researchers such as Secunia and the full disclosure mailing list Bugtraq.

The database currently includes more than 74,000 flaws affecting more than 19,000 products, and the company has decided to share (via Google Translate) some statistics showing which operating systems, browsers, mobile and server OSes, and other popular software have more that an average share of vulnerabilities.

They first showed that between 2001 and 2011, 2006 was the year when the greatest number of vulnerabilities was detected and/or reported. Since then, there has been a slow but steady decline.

All in all, some 7,000 crucial vulnerabilities have been registered in 2011, and they are thusly distributed:

In the browser category, Chrome vulnerabilities have been the most numerous (54%), followed by those discovered in Firefox (18%) and Opera (10%). The result is not surprising, given that Chrome’s user base has been steadily widening.

When it comes to client operating systems, the various Windows flavors (7, XP, Vista) accounted for 85 vulnerabilities each. Mac OS X followed with less than 70 vulnerabilities, and Linux-based Ubuntu, Fedora and SuSe with less than five each.

The situation for server OSes mirrored the above one – flaws in Windows 2003 server passed the 100 mark, those found in Mac OS X Server were less than 70, and FreeBSD, OpenBSD, HP-UX and IBM AIX vulnerabilities were practically nonexistent.

Of course, when considering these numbers and those related to client OSes, one must take into consideration the fact that Windows products are by far the most used.

The situation with mobile operating systems is a bit unexpected. Some 25 iOS vulnerabilities have been detected, while less than 10 Android ones were discovered – even though Android is becoming a more popular choice by the day.

Finally, Adobe’s Acrobat and Reader solutions were found to be most flawed in the major applications and plugins category. They are followed by Oracle’s 10g and 11g databases and Apple’s QuickTime.

The S21sec team concludes that as the number of mobile devices rises, 2012 will be a year when Android and iOS vulnerabilities will be most targeted. They also say that if 2011 numbers are anything to go by, this year will be a year of remote exploits and sophisticated Trojans designed to target highly specific targets.

Don't miss