Watch out for vulnerabilities in your favorite statistical software packages

This week, SC Magazine reported that IBM has reported a vulnerability in certain versions of its SPSS Statistics package, bringing its total to two (just under the wire) in 2015.

In my line of work (IT infrastructure architecture) I hear a lot of things about a lot of things, but security vulnerabilities in statistical software isn’t one of them. I wondered whether this is because I haven’t been paying attention, so I did a little digging.

According to CVE Details, the last SAS vulnerabilities were in 2014 (2) and 2008 (4). The R Foundation has had only one since 2008. These numbers seem very small, and on the face make it seem like vulnerabilities in statistical software are pretty rare. But are they?

Microsoft has had over 2,500 reported vulnerabilities during that same time period. (And over 4,000 since 1999!) Maybe that’s not a fair comparison, since that’s for 205 different products. Okay. Excel has had 116 reported vulnerabilities since 2008 and 22 in 2015 alone. (Windows 10 had 53 last year.)

Of course, it only takes one incident — one hacker exploiting one vulnerability — to have devastating consequences. So keep those statistical packages up to date, boys and girls.