Secunia has recently released its annual study of trends in software vulnerabilities, an interesting report that highlights the impact of the presence of flaws in common software and provide useful details on the way bad actors exploited it. According data provided by the Security firm Secunia, the number of Web browser vulnerabilities and zero-day exploited by hackers worldwide in 2014 is increased in a significant way.
Despite the prompt response of the security community and software vendors, which were able to early identify the threat and provide the necessary patch. Secunia revealed that more than 83 percent of 15,435 vulnerabilities present in 3,870 applications was fixed by vendors when a flaw was publicly disclosed, a positive trend that reveals a marked improvement compared to the past.
“The absolute number of vulnerabilities detected was 15,435, discovered in 3,870 applications from 500 vendors. The number shows a 55% increase in the five year trend, and a 18% increase from 2013 to 2014. Since 2013, the number of vendors behind the vulnerable products has decreased by 11% and the amount of vulnerable products has increased by 22%.” states the report published by Secunia.
The number of Zero-day flaws exploited by threat actors worldwide stepped up from 14 in 2013 to 25 in 2015, a significant increase that worries security experts because the exploitation of this type of vulnerabilities resets the effectiveness of the main defense systems. Another concerning data is the number vulnerabilities affecting Web browser software that increased to 1,035 in 2014, up from 728 the prior year.
The study confirmed the efficiency of the research community that succeeded into addressing the vulnerability limiting the exposure of users to the exploitation of the flaw.
“The most likely explanation is that researchers are continuing to coordinate their vulnerability reports with vendors and their vulnerability programs, resulting in immediate availability of patches for the majority of cases,” continues the report.
By analyzing data related to patch management, the experts discovered that if a patch wasn’t available on the day a flaw was publicly disclosed, the time for its release lengthens, the percentage of products that had a patch ready a month after a flaw was disclosed only rose to 84.3 percent.
“30 days after day of disclosure, 84.3% of vulnerabilities have a patch available, indicating that if a patch is not available on the first day, the vendor does not prioritize patching the vulnerability” reads Secunia.
Very interesting a detailed analysis of the exploitation of PDF reader software which is a very common attack method due to its diffusion. According to data presented in the report the number of vulnerabilities discovered in Adobe Reader in 2014 is 43.
The report also analyzed the vulnerabilities discovered in open-source software that represented a serious security issue last year, we all have in mind the effects of the disclosure of the Heartbleed flaw. The use of open source applications and libraries is widespread, in the majority of cases they are bundled in a variety of commercial products and solutions, for this reason it must be carefully addressed.
“Organizations should not presume to be able to predict which vendors are dependable and quick to react when vulnerabilities are discovered in products bundled with open-source libraries,” Secunia said.
Let me suggest to read the report, I’m sure you will find it interesting.
(Security Affairs – Secunia, vulnetabilities)