It turns out that just updating and patching the Windows operating system and Microsoft applications are not enough to keep endpoints secure and protect them from threats, according to a new report from Secunia.
In the Secunia Vulnerability Review 2013, released today, Secunia found that most of the software vulnerabilities discovered in 2012 weren’t in Microsoft products at all. In fact, researchers found that 86 percent of vulnerabilities found in the top 50 popular Windows applications in 2012 were actually bugs in third-party applications. Top offenders include Java, Adobe Flash Player, and Adobe Reader.
The remaining 14 percent of vulnerabilities were found in Microsoft applications and operating systems. To break that figure down even more, only 5.5 percent of the issues were in the operating system, and 8.5 percent were flaw in the applications. This means that even if organizations and private users are diligently applying Patch Tuesday updates and keeping Microsoft applications up-to-date, they are at risk because the threat is more likely to come from non-Microsoft products.
“Companies cannot continue to ignore or underestimate non-Microsoft programs,” Morten R. Stengaard, Secunia’s director of product management, said in a statement. “The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure,” Stengaard warned.
The number of vulnerabilities is increasing. Secunia said 9.776 vulnerabilities were discovered in 2,503 applications in 2012. That is approximately 4 vulnerabilities on average per vulnerable product.
As Microsoft doubles down on its security efforts, issues in third-party applications are on the increase. In 2011, flaws in third-party applications accounted for 78 percent of the total. That figure was less than 60 percent in 2007.
Ignoring the threat posed by vulnerabilities in third-party software is “both reckless and unnecessary,” Secunia said. Reckless, since, of the top 50 programs included in Secunia’s report, 18 of them accounted for 1,137 flaws. That’s an average of 63 vulnerabilities per vulnerable application, and these are among some of the most popular programs installed on computers around the world.
Unnecessary, because 84 percent of these vulnerabilities already had a patch available on the very day the issues were disclosed. “It is possible to remediate the majority of vulnerabilities,” Stengaard said.
There is a lot of concern about zero-day vulnerabilities, since everyone is at risk until the vendor releases a patch. However, they aren’t really that common in the first place. According to a chart in the report, only eight zero-days were identified among the top 50 popular programs in 2012, compared to 14 in 2011 and 12 in 2010.
While Secunia didn’t specify which product had the zero-days in 2012, the report said vulnerabilities targeted a handful of popular applications. Based on past headlines, it’s pretty clear the bulk of the zero-days were in Java, Adobe Flash, and Reader.
Organizations must know which programs are present on their systems, which of these programs are insecure, find out which patches are available, and then prioritize the systems for remediating them, Secunia said.
Secunia’s report also included information about the vulnerabilities reported in SCADA (Supervisory Control And Data Acquisition) systems. And the picture there is even more grim than for third-party software.
“SCADA software today is at the stage mainstream software was 10 years ago,” Secunia said, noting that many vulnerabilities remain unpatched a month after the issues were disclosed. Several high-risk SCADA vulnerabilities remained unpatched for over 90 days, according to the report.
Data for the Secunia Vulnerability Review report comes from anonymous data gathered from computers running Secunia Personal Software Inspector. PSI is a desktop application that collects information about what software is installed on the system and notifies users whenever a update is available for that application. PSI users’ computers have an average of 72 programs installed on them, and the report focused on the 50 most common applications, which are comprised of 29 Microsoft programs and 21 third-party programs.
