Researchers and analysts at Trend Micro just put together their report for the third quarter of 2011 and found that Google had the most reported vulnerabilities of any software vendor, mostly due to Chrome vulnerabilities. This news is doubly difficult for the company when paired with news about the increasing frequency of malware in rogue Android apps.
Chrome Vulnerabilities at Center of Report
Once a quarter, Trend Micro releases a report that looks at the general state of Internet security, focusing on reported attacks or security holes. The analysts also track which software vendors record the highest number of vulnerabilities to help the industry get a handle on any specific platform that may be underperforming. In the third quarter of 2011, Google jumped from second place to first with 82 reported vulnerabilities across its software packages.
Issues with the Chrome browser are indicated as the main reason for Google’s jump to first place, displacing Microsoft, whose reported vulnerabilities dropped to 58. As explained in this V3 article, the increase in Chrome vulnerabilities is probably tied to the browser’s explosion in popularity. Additionally, the rapid release of new Chrome versions leaves little time for exhaustive bug testing, as detailed in the report itself, which can be downloaded from the Trend Micro Web site.
The report also had Oracle in second place with 63 vulnerabilities, but that was mostly due to its acquisition of Sun Microsystems, which was in the list’s top 10 in the second quarter.
Google’s Problems Extend Beyond Chrome
If Chrome vulnerabilities were Google’s only security problem, the situation probably wouldn’t be all that bad. After all, even Trend Micro admits that the Chrome issues were minor, albeit more numerous, than Microsoft’s issues. But both the Trend Micro report and Juniper’s new Malicious Mobile Threat report, which is covered in this CNET article, note that Google’s Android mobile operating system is increasingly the target of malware.
According to the Juniper report, Android malware has increased nearly fivefold since this past July, and with Android gaining worldwide market share as competitors (except for Apple) fall by the wayside, the situation isn’t going to get better anytime soon. Juniper places the blame at the ease with which developers can get their apps onto the Android Market.
Google has relatively little control over what gets posted on the Android Market, and while it does delete malicious apps once those apps are reported, the damage is usually already done. It remains to be seen whether or not Google will adopt a tougher app review process, but without some kind of control being put in place, the issue only looks to get worse.
The one thing to take away from these reports is that every single piece of user-facing IT hardware needs some kind of malware scanner. A few years ago, smartphones were secure enough to not be really worrisome, and alternative browsers were not used frequently enough to be targeted by hackers.
These days, the rapid consumerization of IT gives IT professionals two real choices: lock systems down to prevent malware from arriving in the first place or be proactive in searching out and destroying existing malware and software vulnerabilities. Locking down systems may seem like the obvious choice, but there will always be push back from employees when they are boxed in, and productivity may suffer as a result.
The key for all IT pros here is to stay vigilant and informed, as hackers will certainly change their tactics as information on their activities come to light.