Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013. The result was published in the Secunia Vulnerability Review 2014. Secunia is a leading provider of IT security solutions that enable management and control of vulnerability threats. The Secunia Vulnerability Review 2014 analyzes the evolution of software vulnerabilities from a global, industry and endpoint perspective.
The root cause of many security issues is vulnerabilities. And the findings in the Secunia Vulnerability Review 2014 support that, once again, the biggest vulnerability threat to corporate and private security comes from third-party – i.e. non-Microsoft – programs.
The Secunia Vulnerability Review analyzes the global vulnerability trends, and takes a particularly thorough look at the 50 most popular programs on private PCs – the Top 50 portfolio. Those 50 programs pervade enterprise IT infrastructures, either as integral business tools that are approved, monitored and maintained by IT operations – for example PDF readers and internet browsers; or as apps on the private devices of employees and management, used in the workplace with or without permission.
In the Top 50 programs, a total of 1,208 vulnerabilities were discovered in 2013. Third-party programs were responsible for 76% of those vulnerabilities, although these programs only account for 34% of the 50 most popular programs on private PCs.
The share of Microsoft programs (including the Windows 7 operating system) in the Top 50 is a prominent 33 products – 66%. Even so, Microsoft programs are only responsible for 24% of the vulnerabilities in the Top 50 programs in 2013.
“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs. Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available,” said Secunia CTO, Morten R. Stengaard.
One well-known vulnerability was all it took for the US Department of Energy
While there is an abundance of vulnerabilities – 1,208 in the Top 50 and 13,073 in total in all products in 2013 – it is important to emphasize that one vulnerability is all hackers need to breach security.
A recent and unusually well-documented example of how one well-known vulnerability can cause havoc is the security breach in the US Department of Energy in 2013, which incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families. Consequences such as those are not exceptional, as documented by the Ponemon Institute: In 2013 “the average time to resolve a cyber attack was 32 days, with an average cost to participating organizations of $1,035,769 during this 32-day period.”
The security breach in the US Department of Energy was caused by a combination of managerial and technological system weaknesses – the perfect feeding ground for hackers, enabling them to exploit vulnerabilities present in an infrastructure.
“The breach demonstrates that the first challenge to corporations is obtaining visibility of their infrastructure, so that they are able to determine the criticality of a threat to their data, and also take action to protect the systems from the threat. For corporations to meet the requirements, and implement the frameworks, associated with best practice risk management, it is critical that top-level management recognizes the integral role that vulnerability management plays and thus supports the efforts of IT security and IT operations in identifying and remediating threats efficiently and effectively. The challenges to implement an effective information security strategy in the US Department of Energy are similar to those we continuously encounter in corporations, where security professionals have to fight battle after battle to secure the resources required to win the war against cybercrime,” said Morten R. Stengaard.
And help is available: In 2013, 86% of the vulnerabilities discovered in the Top 50 portfolio had a security update – a patch – available on the day it was disclosed to the public, enabling organizations to remediate the risk immediately, if the organization receives and is poised to act on the vulnerability intelligence available.
For all products, in which 13,073 vulnerabilities were discovered across 2,289 products, 79% of the vulnerabilities had a patch available on the day of disclosure.
“With these numbers in mind, we can conclude that intelligent, comprehensive and deployable patch management goes a long way towards protecting IT infrastructures. And supported by an effective risk management strategy it is possible for organizations to meet the threat posed by vulnerabilities, and to protect the business-critical and sensitive information they store in their systems,” said Morten R. Stengaard.
Key findings from the Secunia Vulnerability Review 2014
1. 76% of vulnerabilities in the 50 most popular programs on private PCs in 2013 affected third-party programs, by far outnumbering the 8% of vulnerabilities found in operating systems or the 16% of vulnerabilities discovered in Microsoft programs.
In 2012, the numbers were 86% (non-Microsoft), 5.5% (operating systems) and 8.5% (Microsoft).
2. The 1,208 vulnerabilities were discovered in 27 products in the Top 50 portfolio.
3. The 17 third-party products which only account for 34% of products are responsible for 76% of the vulnerabilities discovered in Top 50.
Of the 17 third-party programs, 10 were vulnerable. Of the 33 Microsoft programs in the Top 50, 17 were vulnerable.
4. Microsoft programs (including the Windows 7 operating system) account for 66% of the products in Top 50, but were only responsible for 24% of the vulnerabilities.
5. Over a five year period, the share of third-party vulnerabilities hovers around 75% – in 2013 it was at 76%.
6. The total number of vulnerabilities in the Top 50 most popular programs was 1,208 in 2013, showing a 45% increase in the 5 year trend. Most of these were rated by Secunia as either ‘Highly critical’ (68.2%) or ‘Extremely critical’ (7.3%).
7. In 2013, 2,289 vulnerable products were discovered with a total of 13,073 vulnerabilities in them.
8. 86% of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2013; therefore the power to patch end-points is in the hands of all end-users and organizations.
9. 79% of vulnerabilities in all products had patches available on the day of disclosure in 2013.
10. In 2013, 727 vulnerabilities were discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari.
11. In 2013, 70 vulnerabilities were discovered in the 5 most popular browsers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
About the Secunia Vulnerability Review 2014
The Secunia Vulnerability Review 2014 analyzes the evolution of software security from a global endpoint perspective. It presents data on vulnerabilities and the availability of patches and correlates this information with the market share of programs to evaluate the true threats.
Identifying the 50 most popular programs (the Top 50 portfolio):
To assess how exposed endpoints are, we analyze the types of products typically found on an endpoint. For this analysis we use anonymous data gathered from scans throughout 2013 of the millions of private computers which have the Secunia Personal Software Inspector (PSI) installed.
PSI users’ computers have an average of 75 programs installed on them – from country to country and region to region there are variations as to which programs are installed. For the sake of clarity, we have chosen to focus on the state of a representative portfolio of the 50 most common products found on the computers. These 50 programs are comprised of 33 Microsoft programs and 17 third-party programs.
Learn more at: secunia.com/vulnerability-review
Sign up for the Webinar on the Secunia Vulnerability Review 2014, March 20
“Dissecting the 2013 Vulnerability Landscape”
Presented by Secunia’s Head of Research Kasper Lindgaard and CTO Morten R. Stengaard
Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.
Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.
For more information, please visit secunia.com