Each year, Secunia, a provider of vulnerability intelligence and management tools headquartered in Copenhagen, Denmark, comes out with a Vulnerability Review. The overarching theme of its 2015 Vulnerability Review is there were more vulnerabilities in 2014 than in 2013. “15,435 vulnerabilities across 3,870 applications were recorded in 2014,” mentions the press release. “That’s an 18 percent increase in vulnerabilities compared to the year before.”
“Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organizations to stay on top of their environment,” adds Kasper Lindgaard, director of research and security at Secunia. “IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed.”
Why the increase?
As Lindgaard said, vulnerabilities are becoming a fact of digital life. However, after talking to a few IT administrators, I sense the increase may not be just from coding mistakes. Some things to consider:
- The dramatic increase in new applications each year may skew percentages.
- Contests such as PWN2OWN, and companies offering lucrative bounties will be enticements for vulnerability hunters to find more, which will skew percentages compared to previous years.
It’s a thought at least.
What makes the Vulnerability Review unique is the amount of data Secunia collects. Information is culled from computers around the world (millions of PCs according to Secunia) with Secunia Personal Software Inspector installed. Secunia Personal Software Inspector is “a free computer-security solution that identifies vulnerabilities in applications on private PCs.”
To add perspective to the results, Secunia provides analysis in two different tracks.
- All Products: This track takes into consideration all vulnerabilities that were found in 2014.
- Top 50 Portfolio: Secunia first determines the 50 most common applications residing on computers using Windows 7, the most prevalent operating system.
Here are some of the more interesting findings related to All Products:
- The number of vulnerabilities (15,435) has increased by 18% from 2013 to 2014. Over the past five years the number of vulnerabilities has increased 55%.
- Last year, 1,035 vulnerabilities — a 42% increase over 2013 — were found in the top five browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, and Safari.
- During 2014, Secunia discovered 45 vulnerabilities in these PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF, and Nitro PDF Reader.
Now the findings related to the Top 50 Portfolio applications installed on private computers:
- The number of vulnerabilities (1,348) has increased by 11% from 2013 to 2014. Over the past five years the number of vulnerabilities has increased 42%.
- The 1,348 vulnerabilities are located in 17 products from seven vendors.
- Over the past five years, the share of vulnerabilities in non-Microsoft applications amounted to 78%.
Findings of significance
In the review’s report, Secunia differentiates between vendors like Microsoft that regularly update their products and what the Secunia report calls Non-Microsoft software. “Non-Microsoft software is issued by a variety of vendors, who have their own security-update mechanisms and varying degrees of focus on security,” explains the paper.
This concerns the people at Secunia. “The Non-Microsoft applications only account for 31 percent of all the products but are responsible for 77 percent of the vulnerabilities discovered in the Top 50,” mentions the review’s press release. “Microsoft applications (including the Windows 7 operating system) account for 69 percent of the products in the Top 50, but were only responsible for 23 percent of the vulnerabilities.”
Another interesting tidbit gleaned from the review was that over 83% of vulnerabilities in All Products and more than 86% of vulnerabilities in the Top 50 Portfolio had patches available on the day of disclosure — a significant improvement over 2009, when it was less than 50%.
However, 83 to 86% does not improve noticeably in the following days or weeks. “Thirty days after day of disclosure, 84.3 percent of vulnerabilities have a patch available, indicating that if a patch is not available on the first day, the vendor does not prioritize patching the vulnerability.”
And, if Secunia knows that, it is a safe bet that the bad guys do as well.
Note: TechRepublic, ZDNet, and Tech Pro Research are CBS Interactive properties.