The Secunia Vulnerability Review provides a vision on global vulnerability trends, evaluating carefully the 50 most popular programs on private PCs. These programs are practically everywhere, in many cases, they are key application for ordinary IT operations, let’s imagine to internet browsers or applications like PDF reader.
Data proposed by Secunia’s Vulnerability Review 2014 revealed that third-party programs are responsible for 76% of the flaws identified in the 50 most popular programs in 2013.
“Third-party software is issued by a vast variety of vendors. Each vendor has its own security update mechanisms and varying degrees of focus on security. This represents a major challenge to the users of personal computers and administrators of IT infrastructures, because not all vendors offer automated update services and push security updates to their users” states the report.
The analysis is based on a sampling of the company’s seven million PSI users, security specialists have found 1,208 vulnerabilities in the above third-party programs that account for 34% of the 50 most popular programs on private PCs.
“It is one thing that third-party programs are more responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs. Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available,” said Secunia CTO, Morten R. Stengaard.
Despite large diffusion of Microsoft products that account for 66% of the Top 50 programs, only 24% of the vulnerabilities in the Top 50 programs in 2013 were related to applications designed by company of Redmond.
According the report the choice of operating systems had a minor impact on the total number of vulnerabilities on a typical endpoint. 8.4% of vulnerabilities were reported in Windows 7, the number of vulnerabilities reported in Microsoft programs in 2013 went up from 8.4% in 2012 to 15.9% in 2013.
The exploitation of security vulnerability represents a serious menace for every computing system, it could be responsible for costly data breaches, just recently Risk Based Security-the Open Security Foundation issued a report that confirmed that the number of incidents occurred last year is tripled.
They give an idea of the consequences for the exploitation of well-known vulnerabilities in “common-use” applications, let’s consider the security breach in the US Department of Energy in 2013, it incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.
We must consider that these vulnerabilities are present in the system in our homes, but also in computers present in critical infrastructure, this reflection should lead us to consider the problem of vulnerability management in a careful manner. Our systems have to be carefully assessed and we must implement an effective and timely patch management policy, ensuring that attackers can violate our infrastructure. Very interesting the data related to the patch management, in 2013, 78.6% of all vulnerabilities had a patch available on the day of disclosure, this was possible thanks an increased cooperation between vendors and researchers.
The report provides data also related to the number of zero-day disclosed that is stable respect the past, and an interesting overview of the vulnerabilities reported for browsers.
Key findings from the study are:
(Security Affairs – Secunia Vulnerability Review 2014, vulnerabilities)