Reading the Secunia Vulnerability Review 2015

Secunia firm issued its annual report on vulnerabilities exploited in 2014 in most popular software, a document which includes key figures and facts.

Secunia has recently released its annual study of trends in software vulnerabilities, an interesting report that highlights the impact of the presence of flaws in common software and provide useful details on the way bad actors exploited it. According data provided by the Security firm Secunia, the number of  Web browser vulnerabilities and zero-day exploited by hackers worldwide in 2014 is increased in a significant way.

Despite the prompt response of the security community and software vendors, which were able to early identify the threat and provide the necessary patch. Secunia revealed that more than 83 percent of 15,435 vulnerabilities present in 3,870 applications was fixed by vendors when a flaw was publicly disclosed, a positive trend that reveals a marked improvement compared to the past.

“The absolute number of vulnerabilities detected was 15,435, discovered in 3,870 applications from 500 vendors. The number shows a 55% increase in the five year trend, and a 18% increase from 2013 to 2014. Since 2013, the number of vendors behind the vulnerable products has decreased by 11% and the amount of vulnerable products has increased by 22%.” states the report published by Secunia.

The number of Zero-day flaws exploited by threat actors worldwide stepped up from 14 in 2013 to 25 in 2015, a significant increase that worries security experts because the exploitation of this type of vulnerabilities resets the effectiveness of the main defense systems. Another concerning data is the number vulnerabilities affecting Web browser software that increased to 1,035 in 2014, up from 728 the prior year.

The study confirmed the efficiency of the research community that succeeded into addressing the vulnerability limiting the exposure of users to the exploitation of the flaw.

“The most likely explanation is that researchers are continuing to coordinate their vulnerability reports with vendors and their vulnerability programs, resulting in immediate availability of patches for the majority of cases,” continues the report.

By analyzing data related to patch management, the experts discovered that if a patch wasn’t available on the day a flaw was publicly disclosed, the time for its release lengthens, the percentage of products that had a patch ready a month after a flaw was disclosed only rose to 84.3 percent.

“30 days after day of disclosure, 84.3% of vulnerabilities have a patch available, indicating that if a patch is not available on the first day, the vendor does not prioritize patching the vulnerability” reads Secunia.

Very interesting a detailed analysis of the exploitation of PDF reader software which is a very common attack method due to its diffusion. According to data presented in the report the number of vulnerabilities discovered in Adobe Reader in 2014 is 43.

The report also analyzed the vulnerabilities discovered in open-source software that represented a serious security issue last year, we all have in mind the effects of the disclosure of the Heartbleed flaw. The use of open source applications and libraries is widespread, in the majority of cases they are bundled in a variety of commercial products and solutions, for this reason it must be carefully addressed.

“Organizations should not presume to be able to predict which vendors are dependable and quick to react when vulnerabilities are discovered in products bundled with open-source libraries,” Secunia said.

Let me suggest to read the report, I’m sure you will find it interesting.

Pierluigi Paganini

(Security Affairs –  Secunia,  vulnetabilities)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Japan passed a law allowing preemptive offensive cyber actions<gwmw style="display:none;"></gwmw>

Japan passed a law allowing preemptive offensive cyber actions, shifting from its pacifist stance to…

39 minutes ago

Pwn2Own Berlin 2025: total prize money reached $1,078,750

Pwn2Own Berlin 2025 wrapped up with $383,750 awarded on the final day, pushing the total…

6 hours ago

SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 45

Security Affairs Malware newsletter includes a collection of the best articles and research on malware…

1 day ago

Security Affairs newsletter Round 524 by Pierluigi Paganini – INTERNATIONAL EDITION

A new round of the weekly SecurityAffairs newsletter arrived! Every week the best security articles…

1 day ago

Experts found rogue devices, including hidden cellular radios, in Chinese-made power inverters used worldwide

Chinese "kill switches" found in Chinese-made power inverters in US solar farm equipment that could…

1 day ago