Windows 8 is the most vulnerable Windows OS -> you can thank Adobe Flashfor that

X

XP Guy

If you are wondering why Windows 8 tops the charts, even though
Microsoft touts the platform as more secure than its predecessors (don't
they always) - the answer is quite simple; Flash. Because Flash is now
baked into the modern instance of IE, any Flash vulnerability can now be
tied into Windows 8 as well.

http://www.neowin.net/news/windows-8-is-the-most-vulnerable-windows-os-you-can-thank-flash-for-that

http://www.neowin.net/images/galleries/1821/vultop.png

-----------------------------------------------------------
Breakdown of end-point vulnerabilities in 2013

XP Vista Win-7 Win-8
Operating system 99 102 102 156
Micro$oft Programs 192 192 192 192
Third-party programs 914 914 914 914

Total 1204 1206 1208 1261
----------------------------------------------------------

Approximately one-third of the vulnerabilities of the Windows 8.x OS for
2013 is probably attributed to a single program that until Windows 8 was
an external program (Flash player) and is still in a way an external
program since "Microsoft is not directly responsible for the Flash
code".

And for older OS, updates for that external program will continue to
come directly from Adobe regardless of which older OS you happen to be
running, even if you are running an "unsupported" XP.

The vast majority of the vulnerabilities for all OS are attributed to
programs other than the OS, and are constant across all OS. The OS is
only "responsible" for less than 10%. And since the OS can be
"shielded" by means of routers, firewalls, anti-virus and other
anti-malware software, and user attention to what the heck they are
doing, then the choice of OS, from a security perspective, becomes more
and more a moot point.

Because of this tight integration of Flash into IE, for those that think
that IE8 (the last Internet Exploiter version to run on XP) is less
secure than IE 11 for windoze 8 - think again.

=======================
After 7+ years of retail availability (1999 - 2006):

Vulnerability Report: Microsoft Windows 98 Second Edition

http://secunia.com/advisories/product/13/?task=advisories

Affected By:
33 Secunia advisories
22 Vulnerabilities

Unpatched: 9% (3 of 33 Secunia advisories)

The most severe unpatched Secunia advisory affecting Microsoft Windows
98 Second Edition, with all vendor patches applied, is rated Less
critical.

======================

After 1.5 years of retail availability:

Vulnerability Report: Microsoft Windows 8

http://secunia.com/advisories/product/42951/?task=advisories

Affected By:
68 Secunia advisories
200 Vulnerabilities

Unpatched: 1% (1 of 68 Secunia advisories)

The most severe unpatched Secunia advisory affecting Microsoft Windows
8, with all vendor patches applied, is rated Not critical
=======================

Now, I could be _really cruel_ and post the number of advisories,
vulnerabilities and especially unpatched vulnerabilities for Windoze 7,
but you can laugh your ass off by looking at them here:

http://secunia.com/advisories/product/27467/?task=advisories

Meekro$oft's motto: If it works, it's not complicated enough.

Macro$haft: The bloat and exploits go in before the name goes on.

Windows NT/2k/XP/7/8 -> Like the Emperor's new clothes - woven from the
finest code, the most expensive threads.

The Windows NT line of Operating systems: Are we secure yet?

Windoze xp (scratch that)
Windows Vista (no wait)
Windows 7 (hold on)
Windows 8: -> How do you want to be hacked today?
 
P

Paul

XP said:
If you are wondering why Windows 8 tops the charts, even though
Microsoft touts the platform as more secure than its predecessors (don't
they always) - the answer is quite simple; Flash. Because Flash is now
baked into the modern instance of IE, any Flash vulnerability can now be
tied into Windows 8 as well.

http://www.neowin.net/news/windows-8-is-the-most-vulnerable-windows-os-you-can-thank-flash-for-that

http://www.neowin.net/images/galleries/1821/vultop.png

-----------------------------------------------------------
Breakdown of end-point vulnerabilities in 2013

XP Vista Win-7 Win-8
Operating system 99 102 102 156
Micro$oft Programs 192 192 192 192
Third-party programs 914 914 914 914

Total 1204 1206 1208 1261
----------------------------------------------------------

Approximately one-third of the vulnerabilities of the Windows 8.x OS for
2013 is probably attributed to a single program that until Windows 8 was
an external program (Flash player) and is still in a way an external
program since "Microsoft is not directly responsible for the Flash
code".

And for older OS, updates for that external program will continue to
come directly from Adobe regardless of which older OS you happen to be
running, even if you are running an "unsupported" XP.

The vast majority of the vulnerabilities for all OS are attributed to
programs other than the OS, and are constant across all OS. The OS is
only "responsible" for less than 10%. And since the OS can be
"shielded" by means of routers, firewalls, anti-virus and other
anti-malware software, and user attention to what the heck they are
doing, then the choice of OS, from a security perspective, becomes more
and more a moot point.

Because of this tight integration of Flash into IE, for those that think
that IE8 (the last Internet Exploiter version to run on XP) is less
secure than IE 11 for windoze 8 - think again.

=======================
After 7+ years of retail availability (1999 - 2006):

Vulnerability Report: Microsoft Windows 98 Second Edition

http://secunia.com/advisories/product/13/?task=advisories

Affected By:
33 Secunia advisories
22 Vulnerabilities

Unpatched: 9% (3 of 33 Secunia advisories)

The most severe unpatched Secunia advisory affecting Microsoft Windows
98 Second Edition, with all vendor patches applied, is rated Less
critical.

======================

After 1.5 years of retail availability:

Vulnerability Report: Microsoft Windows 8

http://secunia.com/advisories/product/42951/?task=advisories

Affected By:
68 Secunia advisories
200 Vulnerabilities

Unpatched: 1% (1 of 68 Secunia advisories)

The most severe unpatched Secunia advisory affecting Microsoft Windows
8, with all vendor patches applied, is rated Not critical
=======================

Now, I could be _really cruel_ and post the number of advisories,
vulnerabilities and especially unpatched vulnerabilities for Windoze 7,
but you can laugh your ass off by looking at them here:

http://secunia.com/advisories/product/27467/?task=advisories

Meekro$oft's motto: If it works, it's not complicated enough.

Macro$haft: The bloat and exploits go in before the name goes on.

Windows NT/2k/XP/7/8 -> Like the Emperor's new clothes - woven from the
finest code, the most expensive threads.

The Windows NT line of Operating systems: Are we secure yet?

Windoze xp (scratch that)
Windows Vista (no wait)
Windows 7 (hold on)
Windows 8: -> How do you want to be hacked today?

Your table of numbers is pleasantly nonsensical. Are you
in effect telling me that the availability of ASLR on the
later OSes, made absolutely no difference to some of these
things ? You're also telling me, that two of the OSes
share so much code, as to be identical. Surely there are
*some* differences, byte for byte, between those
two OSes. The table is convenient, but lacks enough
statistical noise to pass scrutiny.

Windows 8 added an entirely new subsystem (Metro), which,
like other GUI subsystems, is going to have its own issues
and its own bugs. It's not a surprise there are more exploits.
And "features" have always trumped "security", no matter
what century it is. You can't sell a new OS, without some
glossy frosting on top, but at the same time, that frosting
is going to be vulnerable. For the stats to remain
the same or trend downwards, we would need all elements
of the OS to remain static (frozen design intent), plus
rewrite them until they're "clean". Like that would
ever happen.

It's a matter of expectations. Is there any reason to
expect things to trend downwards ? The attack surfaces
aren't being removed. They're all still there.

The "more secure" moniker, only refers to adding the
elements of EMET, for what they're worth. Whether it's
NX or ASLR, those technically made the OS a tiny bit
more secure. And to any thinking person, when you
release an OS, the developer has no way of knowing
exactly how vulnerable it really is. Some exploits and
classes of bugs, go back 15 years, and the code in those
likely remains the same.

I would also expect the browser design (sandboxing) to
make some differences. And some of the OSes in the
chart, don't have the availability of the later
versions of Internet Explorer.

I just can't buy that table, as currently being sold.
The table is "constructed" and obviously not measured
as such. The trending would likely have much more
noise in it, to the point of making it hard to
"leap" to any conclusions. But then, that wouldn't
make for a very good rant.

Paul
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top