15,435 vulnerabilities in close to 4,000 applications in 2014
15,435 vulnerabilities across 3,870 applications were recorded in 2014 – that’s an 18% increase in vulnerabilities compared to the year before, and a 22% increase in the number of products.
The result was published today in the Secunia Vulnerability Review 2015. Secunia is a leading provider of IT security solutions that enable management and control of vulnerability threats. The Secunia Vulnerability Review 2015 analyzes the evolution of software vulnerabilities from a global, industry and endpoint perspective.
Vulnerabilities are a root cause of security issues – an error in software that can work as an entry point for hackers, and can be exploited to gain access to IT systems. In 2014, 15,435 vulnerabilities were discovered according to data from the vulnerability intelligence experts at Secunia Research. The vulnerabilities are spread across 3,870 applications published by 500 different vendors, and these numbers alone demonstrate the challenge faced by IT teams trying to protect their environment against security breaches.
“Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organizations to stay on top of their environment. IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed,” says Kasper Lindgaard, Director of Research and Security at Secunia.
Bundling complicates visibility
Obtaining full visibility to ascertain risk is not simple. In addition to known vulnerabilities in known products in the infrastructure, users have to deal with the opaque area that is bundling: vendors bundle their products with, for example, open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems.
And, as the several incidents in 2014 of vulnerabilities in open source applications and libraries demonstrate, not all vendors can be relied upon to inform their users when vulnerabilities in open source applications affect their products.
“In fact, as examples in the Secunia Vulnerability Review show, when we look at the number of days lapsed between the times when OpenSSL vulnerabilities were disclosed, until third-party vendors informed of their product being vulnerable, we find that there is no general pattern to response times. Consequently, organizations can not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open source libraries,” says Kasper Lindgaard.
Patch on Day One or go to Plan B!
For those applications that are known to the security teams, the data for 2014 shows an encouraging trend: Of all the 15,435 vulnerabilities, a full 83% had a security patch available on the day the vulnerability was disclosed to the public. This number represents a continued improvement in time-to-patch, particularly when taking a retrospective view of the last six years and the low of 49.9% recorded in 2009 in all products.
“But numbers also show that while an impressive 83% of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged when we look 30 days ahead. 30 days on, just 84.3% have a patch available which essentially means that if it isn’t patched on the day of disclosure, chances are the vendor isn’t prioritizing the issue. That means you need to move to plan B, and apply alternative fixes to mitigate the risk,” says Kasper Lindgaard.
Key findings from the Secunia Vulnerability Review 2015
Total numbers across all applications
- In 2014, a total of 15,435 vulnerabilities were discovered in 3,870 products from 500 vendors.
- The number of vulnerabilities shows a 55% increase in the five year trend, and an 18% increase from 2013 to 2014. The number of vulnerable products has increased by 22% from 2013 to 2014.
- 83% of vulnerabilities in all products had patches available on the day of disclosure in 2014.
- 25 zero-day vulnerabilities were discovered in total in 2014, compared to 14 the year before.
- 20 of the 25 zero-day vulnerabilities were discovered in the 25 most popular products – 7 of these in operating systems.
- 11% of the 15,435 vulnerabilities discovered in 2014 were rated as ‘Highly Critical’, and 0.3% as ‘Extremely Critical’.
- In 2014, 1,035 vulnerabilities were discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari. That is a 42% increase from 2013.
- In 2014, 45 vulnerabilities were discovered in the 5 most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
The 50 most popular applications on private PCs
- 1,348 vulnerabilities were discovered in 18 products in the Top 50 most popular applications on private PCs.
- 77% of vulnerabilities in the 50 most popular applications on private PCs in 2014 affected non-Microsoft applications, by far outnumbering the 2% of vulnerabilities found in the Windows 7 operating system or the 21% of vulnerabilities discovered in Microsoft applications.
- The 16 non-Microsoft applications only account for 31% of products but are responsible for 77% of the vulnerabilities discovered in the Top 50.
Microsoft applications (including the Windows 7 operating system) account for 69% of the products in the Top 50, but were only responsible for 23% of the vulnerabilities. - Over a five year period, the share of vulnerabilities in non-Microsoft applications hovers around 78% in the Top 50.
- The total number of vulnerabilities in the Top 50 most popular applications was 1,348 in 2014, showing a 42% increase in the 5 year trend. Most of these were rated by Secunia as either ‘Highly critical’ (64.9%) or ‘Extremely critical’ (9.7%).
- 87% of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2014.
About the Secunia Vulnerability Review 2015
The Secunia Vulnerability Review 2015 analyzes the evolution of software security from a global endpoint perspective. It presents data on vulnerabilities and the availability of patches and correlates this information with the market share of programs to evaluate the true threats.
Identifying the 50 most popular applications (the Top 50 portfolio):
To assess how exposed endpoints are, we analyze the types of products typically found on an endpoint. For this analysis we use anonymous data gathered from scans throughout 2014 of the millions of private computers which have the Secunia Personal Software Inspector (PSI) installed.
PSI users’ computers have an average of 76 programs installed on them – from country to country and region to region there are variations as to which applications are installed. For the sake of clarity, we have chosen to focus on the state of a representative portfolio of the 50 most common applications found on the computers. These 50 applications are comprised of 34 Microsoft applications and 16 non-Microsoft applications.
Learn more at: secunia.com/vulnerability-review
Join the webinar on the Secunia Vulnerability Review 2015, April 14
“All about the thousands of 2014 vulnerabilities – From Secunia Research”
Presented by Kasper Lindgaard, Secunia’s Director of Research and Security
Sign up here
About Secunia
Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.
Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.
For more information, please visit secunia.com.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.