Pierluigi Paganini February 28, 2014

Secunia’s Vulnerability Review 2014 provides an interesting analysis of the number of vulnerabilities in the Top 50 portfolio products.

The Secunia Vulnerability Review provides a vision on global vulnerability trends, evaluating carefully the 50 most popular programs on private PCs. These programs are practically everywhere, in many cases, they are key application for ordinary IT operations, let’s imagine to internet browsers or applications like PDF reader.

Data proposed by Secunia’s Vulnerability Review 2014 revealed that third-party programs are responsible for 76% of the flaws identified in the 50 most popular programs in 2013.

“Third-party software is issued by a vast variety of vendors. Each vendor has its own security update mechanisms and varying degrees of focus on security. This represents a major challenge to the users of personal computers and administrators of IT infrastructures, because not all vendors offer automated update services and push security updates to their users” states the report.

The analysis is based on a sampling of the company’s seven million PSI users, security specialists have found 1,208 vulnerabilities in the above third-party programs that account for 34% of the 50 most popular programs on private PCs.

“It is one thing that third-party programs are more responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs. Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available,” said Secunia CTO, Morten R. Stengaard.

Despite large diffusion of Microsoft products that account for 66% of the Top 50 programs, only 24% of the vulnerabilities in the Top 50 programs in 2013 were related to applications designed by company of Redmond.

According the report the choice of operating systems had a minor impact on the total number of vulnerabilities on a typical endpoint. 8.4% of vulnerabilities were reported in Windows 7, the number of vulnerabilities reported in Microsoft programs in 2013 went up from 8.4% in 2012 to 15.9% in 2013.

The exploitation of security vulnerability represents a serious menace for every computing system, it could be responsible for costly data breaches, just recently Risk Based Security-the Open Security Foundation issued a report that confirmed that the number of incidents occurred last year is tripled.

They give an idea of the consequences for the exploitation of well-known vulnerabilities in “common-use” applications, let’s consider the security breach in the US Department of Energy in 2013, it incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.

We must consider that these vulnerabilities are present in the system in our homes, but also in computers present in critical infrastructure, this reflection  should lead us to consider the problem of vulnerability management in a careful manner. Our systems have to be carefully assessed and we must implement an effective and timely patch management policy, ensuring that attackers can violate our infrastructure. Very interesting the data related to the patch management, in 2013, 78.6% of all vulnerabilities had a patch available on the day of disclosure, this was possible thanks an increased cooperation between vendors and researchers.

The report provides data also related to the number of zero-day disclosed that is stable respect the past, and an interesting overview of the vulnerabilities reported for browsers.

Key findings from the study are:

• 76% of vulnerabilities in the 50 most popular programs on private PCs in 2013 affected third-party programs, by far outnumbering the 8% of vulnerabilities found in operating systems or the 16% of vulnerabilities discovered in Microsoft programs. 
• In 2012, the numbers were 86% (non-Microsoft), 5.5% (operating systems) and 8.5% (Microsoft).
• The 1,208 vulnerabilities were discovered in 27 products in the Top 50 portfolio.
• The 17 third-party products which only account for 34% of products are responsible for 76% of the vulnerabilities discovered in Top 50. Of the 17 third-party programs, 10 were vulnerable. Of the 33 Microsoft programs in the Top 50, 17 were vulnerable.
• Microsoft programs (including the Windows 7 operating system) account for 66% of the products in Top 50, but were only responsible for 24% of the vulnerabilities.
• Over a five year period, the share of third-party vulnerabilities hovers around 75% – in 2013 it was at 76%.
• The total number of vulnerabilities in the Top 50 most popular programs was 1,208 in 2013, showing a 45% increase in the 5 year trend. Most of these were rated by Secunia as either ‘Highly critical’ (68.2%) or ‘Extremely critical’ (7.3%).
• In 2013, 2,289 vulnerable products were discovered with a total of 13,073 vulnerabilities in them.
• 86% of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2013; therefore the power to patch end-points is in the hands of all end-users and organizations.
• 79% of vulnerabilities in all products had patches available on the day of disclosure in 2013.
• In 2013, 727 vulnerabilities were discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari.
• In 2013, 70 vulnerabilities were discovered in the 5 most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

Pierluigi Paganini

(Security Affairs –  Secunia Vulnerability Review 2014, vulnerabilities)