To check the effectiveness of a publisher's security efforts one may check MITRE's CVE list for vulnerabilities. MITRE's CVE list will give you the number of and brief descriptions of the vulnerabilities.

For our example we will look at Email client programs, Outlook, Eudora, Opera, and Netscape/Mozilla.

Following the link to http://www.cve.mitre.org/cve/ and entering the application name lists of vulnerabilities. The number of vulnerabilities is a rough estimator of how sensitive designers and coders have been to infosec issues. By entering the names of the common email clients, Outlook, Eudora, Mozilla/Netscape and Opera we find:

No.

Netscape Email

4

Mozilla

7

Opera

8

Eudora

15

Outlook

42

The number of vulnerabilities is not an absolute measure of risk as the vulnerability lists cover different time periods for different products. Also some clients come integrated with other componenets, such as Opera whose vulnerabilities will include any for the Email client and also those for news group handling and web browsing. Opera's vulnerabilities may be overstated compared to those for Outlook or Eudora.

Mozilla should be combined with Netscape for a total of 11 vulnerabilities.

Nevertheless we get may observe:

• Opera or the Mozilla/Netscape seem safest and both also browse likely resulting in more vulnerabilities than with only an Email client.

• Eudora has been reasonably to very careful with their designs and implementations over a long time.

Let us focus on Outlook to determine whether there are current vulnerabilities and exploits.

After all, perhaps the vulnerabilities have all been fixed. Perhaps the vulnerabilities were too arcane to be used for exploits.

A fair question to ask is whether old Outlook problems are hazarding users and costing IT departments with current difficulties. If not we can dismiss considering Outlook a problem. Are Viruses and Worms currently being written for the Application?