IT security solutions provider Secunia today published its annual vulnerability review. The report provides facts and details on the security flaws uncovered in 2014.
According to the security firm, a total of 15,435 vulnerabilities were identified in 2014 in 3,870 applications from 500 vendors. This represents an 18 percent increase compared to the previous year, and a 55 percent increase over five years.
Of the total number of flaws detected last year, 11 percent were rated “highly critical” and 0.3 percent were rated “extremely critical.” The percentage of highly critical vulnerabilities decreased compared to 2013 when more than 16 percent of issues were included in this category. A majority of the bugs had patches available on the day they were disclosed, Secunia said.
“While an impressive 83% of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged when we look 30 days ahead. 30 days on, just 84.3% have a patch available which essentially means that if it isn’t patched on the day of disclosure, chances are the vendor isn’t prioritizing the issue. That means you need to move to plan B, and apply alternative fixes to mitigate the risk,” said Kasper Lindgaard, Director of Research and Security at Secunia.
This improved time-to-patch rate shows that researchers continue to coordinate their vulnerability reports with vendors, the security firm noted.
The company has determined that the most common attack vector was remote network (over 60 percent), followed by local network, and local system.
As far as zero-day vulnerabilities are concerned, a total of 25 were discovered in 2014, which is a significant increase compared to 2013 when only 14 were reported. Twenty of the zero-days were found in the 25 most popular software applications, including seven in operating systems.
The figures are a bit different when it comes to the top 50 most common applications found on a typical computer. This list consists of 34 products developed by Microsoft, including operating systems, and 16 products from other vendors.
According to Secunia, 18 products from the top 50 portfolio were plagued by a total of 1,348 vulnerabilities in 2014. Nearly 75 percent of these security holes were rated as highly or extremely critical.
Non-Microsoft applications accounted for 77 percent of vulnerabilities. Microsoft applications accounted for 21 percent of vulnerabilities, while the remaining 2 percent plagued the Windows 7 operating system.
The number of vulnerabilities uncovered in the most popular Web browsers (Chrome, Firefox, Internet Explorer, Opera and Safari) was 1,035. This represents a 42 percent increase compared to the previous year. The number of flaws found in Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader decreased to 45 (from 70 identified in 2013).
A report released by IBM X-Force earlier this month shows that the company catalogued more than 9.200 vulnerabilities last year. However, CERT/CC has started assigning individual CVE identifiers for each Android application plagued by the same fundamental man-in-the-middle vulnerability. There are roughly 20,000 applications that could be vulnerable.
The complete Secunia Vulnerability Review 2015 is available online.