Apple, Microsoft and PHP are vulnerable

August 26th, 2008 by Ivo

I recently came across this article:

"Apple, Microsoft, PHP headline IBM's list of most vulnerable software"

This article once again demonstrates the cluelessness that some people have regarding what PHP is. First of all, PHP is not a vendor, so "Apple, Microsoft & PHP" does not make much sense. Furthermore, the only reason PHP even is mentioned in this context is that Joomla, Drupal and WordPress appear in the list. So PHP, a programming language, gets blamed for the security flaws that are in these packages.

With the same data, I might conclude that C is more insecure than PHP, after all there are more C-based vendors/product in the list than PHP products.

But they're not just clueless about PHP, they also list Linux as a Vendor in their top 10 list. Linux is an operating system, not a vendor.

Sometimes I wish these reporters would talk to people that know what their talking about before they write such an article.

6 Responses to “Apple, Microsoft and PHP are vulnerable”

  1. August 26, 2008 at 10:23 am, Federico said:

    Yeah, it’s a marketing technique. The title needs to create some kind of controversy. Don’t forget that PHP is the most popular language on the Web.

    However, seeing Linux and PHP next to the biggest software companies in the world, means that open source is winning.

  2. August 26, 2008 at 1:47 pm, Ken Guest’s online diary » Blog Archive » Is PHP vulnerable software? said:

    [...] to Ivo Jansch, I spotted Matt Assay mentioning in his article on cnet that PHP headlines in IBM’s list of [...]

  3. August 26, 2008 at 3:14 pm, Ivo Jansch’s Blog: Apple, Microsoft and PHP are vulnerable | Development Blog With Code Updates : said:

    [...] mentions an interesting comparison that CNet made on security and levels of vulnerability in a new blog post today. Their article mentions PHP right along side Apple and Microsoft in their list of “most [...]

  4. August 26, 2008 at 4:47 pm, Barry Austin said:

    Guilt-by-association is a common bias I’ve seen in security statistics. For example, vulnerabilities in plugins, widgets etc. that work with WordPress are tallied as “WordPress vulnerabilities”. Likewise, vulnerabilities in PHP applications are counted as “PHP vulnerabilities”. The result is massively inflated numbers and a major hit to the reputation of PHP and open source in general.

    Many security professionals I’ve spoken with have harshly negative reactions to any mention of PHP because of a sloppily applied “bad neighborhood” effect. They just associate PHP with poor security because they’re inundated with security alerts marked “PHP”. This is a major political and branding problem that has already seriously damaged PHP in the marketplace.

  5. August 26, 2008 at 5:25 pm, Ken Guest’s online diary said:

    [...] to Ivo Jansch, I spotted Matt Assay mentioning in his article on cnet that PHP headlines in IBM’s list of [...]

  6. September 08, 2008 at 4:55 am, What a n00b! » Blog Archive » Apple, Linux, and PHP in the Top List of Vulnerable Vendors said:

    [...] Jansch provided a pertinent reply in his blog. He mentioned that since PHP is getting blamed for these vulnerabilities, perhaps we [...]