Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

News

8/10/2015
12:30 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Half year trend, Android vs iOS X vulnerabilities, OpenSSL update and more Secunia at Black Hat USA 2015

Copenhagen, Denmark - August 6, 2015 – Secunia, a leading provider of IT security solutions that enable management and control of vulnerability threats, has taken an early peek at the trend in vulnerabilities for 2015. Seven months into the year, the number of detected zero-day vulnerabilities has risen substantially compared to 2014, while the total number of vulnerabilities is largely the same as this time last year.

15 zero-days have been discovered so far in 2015, making it likely that the total 2015 number will exceed the 25 discovered in 2014. The 2015 zero-days were all discovered in popular Adobe and Microsoft products widely in use across private and professional IT systems.

“The increasing number of zero-days is not a surprise. It would be more of a concern if the number dropped, because that would mean that the zero-days we can be sure are out there were going undetected – after all, Hacking Team, the Italian company reported to be selling a product utilizing bought zero-days to governments and corporations, is not the only company of its kind out there,” said Kasper Lindgaard, Director of Research and Security at Secunia.

At 9,225 the total number of vulnerabilities discovered from January 1 to July 31st  is on a par with the 9,560 discovered over the same period in 2014, but Secunia’s preliminary findings do indicate a shift in criticality ratings: A slightly higher share of the vulnerabilities discovered are rated as “extremely critical” (from 0.3% to 0.5%) and “highly critical” (from 11.1% to 12.7%)  while there is a drop in the “moderately critical” category (from 28.2% to 23.7%).

Android vs iOS - what’s in a number?!

Secunia has also taken a look at the number of vulnerabilities discovered in the two most popular operating systems on mobile phones: around 80 vulnerabilities have been discovered in iOS, and approximately 10 in Android.

“The fact that fewer vulnerabilities are discovered in Android should under no circumstances be misinterpreted to imply that Android OS is more secure than iOS. The trouble with a vulnerability in Android OS is that Google, the vendor behind the operating system, has no control of its patch status on majority of the devices that run it, because those devices are produced and maintained by third-party vendors. The “Stagefright” vulnerabilities discovered by Zimperium, which was disclosed last week, is a perfect example of the problem: Google has acted quickly and issued a patch, but from there on it’s up to phone vendors– Samsung, HTC, Sony, etc. – to push the patch live to the users. In comparison, Apple can issue patches and push updates directly to all devices running iOS – a much more controlled process,” said Kasper Lindgaard.

 

Enterprise product vendors

Secunia Research has compared the number of vulnerabilities discovered in distinct core products, used in corporate IT infrastructures, from seven major vendors: IBM, Citrix, Hitachi, HP, Juniper, Oracle and VMware:

“Hundreds of different products from these vendors contain vulnerabilities, and it is important to remember to also focus on these. On private PCs you will find the same vulnerable applications from the same vendors again and again, but in the corporate environment the list of vulnerable products is far more nuanced. While there is certainly ‘repeat business’ every month, the corporate environment contains a wide variety of products, used in all manner of business contexts, with code that is just as flawed as any other code. This means that what you patched to stay secure last month will do your security very little good next month. It is an extremely complicated task to keep your corporate environment fully patched at all times,” Kasper Lindgaard stated.

OpenSSL update

Since the Heartbleed vulnerability in OpenSSL opened the can of worms that is vulnerabilities in open source libraries in April 2014, several additional vulnerabilities have been discovered in OpenSSL and users of the library have been hit by 5 distinct waves. OpenSSL #5 has been doing the rounds for two months and appears to be following the trail of OpenSSL #4. So far, some 100 products have been reported vulnerable by OpenSSL#5, which is a far cry from the 800 reported vulnerable by OpenSSL #2 last year. The discrepancy in the two numbers indicates that a lot of products out there are vulnerable, even though the vendors have not reported them as such.

“The fact that vendors do not report to their customers that products have been made vulnerable by OpenSSL, and consequently do not offer solutions to the customers on how they should mitigate and protect their infrastructure, makes it very hard for users to secure their environment. Because OpenSSL comes bundled in many third-party products, customers are not necessarily aware that they have it in their inventory, and so cannot take appropriate action,” explained Kasper Lindgaard.

 

About Secunia

Founded in 2002, Secunia is a leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.

For more information, please visit secunia.com

 

Follow Secunia

•  Twitter: twitter.com/Secunia 

•  Facebook: facebook.com/Secunia 

•  Blog: secunia.com/blog/

•  LinkedIn: linkedin.com/company/secunia

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23901
PUBLISHED: 2021-01-25
An XML external entity (XXE) injection vulnerability was discovered in the Nutch DmozParser and is known to affect Nutch versions < 1.18. XML external entity injection (also known as XXE) is a web security vulnerability that allows an attacker to interfere with an application's processing of XML ...
CVE-2020-17532
PUBLISHED: 2021-01-25
When handler-router component is enabled in servicecomb-java-chassis, authenticated user may inject some data and cause arbitrary code execution. The problem happens in versions between 2.0.0 ~ 2.1.3 and fixed in Apache ServiceComb-Java-Chassis 2.1.5
CVE-2020-12512
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated reflected POST Cross-Site Scripting
CVE-2020-12513
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to an authenticated blind OS Command Injection.
CVE-2020-12514
PUBLISHED: 2021-01-22
Pepperl+Fuchs Comtrol IO-Link Master in Version 1.5.48 and below is prone to a NULL Pointer Dereference that leads to a DoS in discoveryd