February 25, 2013, 12:51 PM — In a look at the number of vulnerabilities recorded over 25 years in software products and open source, a researcher at Sourcefire has determined that Microsoft Windows XP and the Mozilla Firefox browser stand out as the two with the largest number of high-severity vulnerabilities.
Windows XP has had 453 while Firefox has had 433 vulnerabilities rated high and critical based on the Common Vulnerabilities and Exposures (CVE) database and the second source for the statistics, the National Vulnerability Database from the National Institute of Standards and Technology (NIST). High-severity vulnerabilities mean attackers can potentially fully compromise the user's machine. The total number of vulnerabilities for all the products and open-source software that has accumulated over 25 years has hit 50,000, according to Sourcefire, which is discussing the results of its research at the RSA Conference this week.
In the 25 years of recorded vulnerabilities examined this way, there was peak of 6,612 vulnerabilities in 2006 but the worst year overall for high-severity ones was 2007 at 3,159 out of a total of 6,518, says Dr. Yves Younan, senior research engineer on Sourcefire's vulnerability research team.
There was a notable decline in annually-recorded vulnerabilities until 2010. In 2012, a total of 5,281 vulnerabilities were recorded. The good news is that for the first time ever, high-severity vulnerabilities only make up 33% of the vulnerabilities assigned CVEs; in the previous decade the average was 45%.
When it comes to smartphones, "the Apple iPhone by far has the most vulnerabilities reported for it," Younan says. The iPhone has seen 210 vulnerabilities while Google Android logs in at 24, Windows Mobile at 14 and BlackBerry at 11.
When it comes to the type of vulnerabilities in general for everything, the category of "buffer overflows" is the most predominant at 7,006 occurrences, with cross-site scripting a close second. Buffer overflows are also more likely to have a high-severity rating, with catastrophic consequences leading to wholly compromised networks after an attack. Last year, though, "access-control issues reigned supreme."