IBM’s security researchers seem to have located the problem. And it is IBM.
Last Wednesday, IBM’s X-Force security research team published its twice-annual study tracking the latest vulnerabilities and new attacks online. The report also ranked software companies according to their record of patching known security vulnerabilities in the software they sell. And the results of that ranking look worst for none other than the tech giant that performed the study.
IBM’s report, when it was first released, seemed to cast an unflattering light on some of the company’s competitors: Sun Microsystems–now owned by Oracle–had left unpatched 24% of all the hackable security flaws in the company’s software that were disclosed this year. When IBM filtered those unpatched security flaws by severity, however, Google came out as the least likely to patch critical security bugs in its software that would allow a hacker to completely hijack a target system, leaving 33% of those high severity flaws unpatched over the first half of the year.
Google, however, didn’t take those findings lightly. Instead, it dug into the report’s methodology and found that IBM had come to its conclusions about Google’s patching rate based on just three software bugs. And the one out of those three bugs that IBM had counted as unpatched, it turned out, wasn’t a bug at all. (The study’s error seems to have been based on the researchers’ confusion of a “stack overflow” and a “stack buffer overflow.” How silly of them.)
Over the last weekend, IBM quietly released revised findings from the study. Sun and Google have both been acquitted of their lax patching charges, and recounting bugs showed that Microsoft had the worst record for patching flaws of all severities over the last six months.
And who held the record for leaving the most high severity software bugs unpatched? IBM. According to its own study, Big Blue left 29% of its critical software flaws from the last six months without a fix, more than any of the other nine companies it measured. Oracle’s numbers were only slightly better: the company failed to fix 22% of its high severity bugs.
Source:http://blogs.forbes.com/andygreenberg/2010/08/31/ibm-names-itself-worst-company-for-fixing-critical-software-security-bugs/?boxes=Homepagechannels
