Vulnerabilities / Threats
05:29 PM
Connect Directly

Nearly 80% Of All Bugs Are In Third-Party Apps

Secunia annual report says only 10 percent of bugs in 2011 were in Microsoft software

Don't blame it on Microsoft: The lion's share of vulnerabilities last year were in third-party applications, with 78 percent of all bugs, versus 10 percent in Microsoft software products, according to a new report published today.

Secunia's annual report for 2011 found that the number of endpoint flaws jumped past 800 bugs, more than half of which were considered very critical.

"What we see is a consolidation, with fewer vendors responsible for more vulnerabilities," says Stefan Frei, research analyst director for Secunia. "Most of the vulnerabilities are highly critical and exploitable."

The jump in third-party flaws is dramatic when compared with 2006, when it was less than half, at 45 percent. Around 12 percent of last year's bugs were in operating systems. Secunia also found that more than half of software programs that are vulnerable in an organization with more than 600 programs aren't vulnerable the next year. And half that are not vulnerable one year will be the next. "Therefore, identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources," Frei said in a statement.

And while vulnerabilities decreased last year overall, the top 20 commercial and open-source software providers were not able to whittle down the number of bugs in their products, according to the report.

That shocked Frei. "Despite all the investment the made into security, none of them achieved the result of reducing the number of vulnerabilities in 2011 compared to the previous five years," he says. "I would have expected an even playing field where some would have decreased or increased. It shows that this is an arms race and still a very complex problem."

Organizations are most at risk at the endpoint, the report says, and it takes about 12 different update mechanisms -- including Microsoft's -- to secure the average endpoint. And even lesser-known or used software applications can be at risk, Secunia found.

A full copy of the Secunia Yearly Report for 2011 is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
2/24/2012 | 3:35:49 AM
re: Nearly 80% Of All Bugs Are In Third-Party Apps
There is another story that mobile apps are being built and deployed with very little regard to security, so it looks like mobile apps will become a bigger and bigger slice of the bug-source pie, at least until good security standards are (re)introduced to mobile development. Are there any security-related libraries, or libraries with improved security features coming out soon for mobile platforms?

--- Jonathon
User Rank: Apprentice
2/20/2012 | 6:57:08 AM
re: Nearly 80% Of All Bugs Are In Third-Party Apps
This article Reports the-ŠNearly 80% Of All Bugs Are In Third-Party-ŠApplication.-Š
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.