Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/14/2013
05:26 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Non-Microsoft Vulnerabilities Account For 86% Of Vulnerabilities In The Most Popular Programs

Number of vulnerabilities discovered in the 50 most popular programs on private PCs has increased by 98% over the past five years, according to Secunia Vulnerability Review 2013

COPENHAGEN, Denmark, March 14, 2013 /PRNewswire/ -- 86% of vulnerabilities discovered in the most popular 50 programs in 2012 were in non-Microsoft (or "third-party") programs. The result was published today in the Secunia Vulnerability Review 2013. Secunia is a leading provider of IT security solutions that enable management and control of vulnerability threats. The Secunia Vulnerability Review 2013 analyzes the evolution of software vulnerabilities from a global, industry, enterprise, and endpoint perspective.

The Secunia Vulnerability Review findings support that the primary threat to endpoint security for corporations and private users alike comes from non-Microsoft programs, and that vulnerability and patch management efforts must span much wider than to just deal with the familiar interfaces of Microsoft software and a few usual suspects from other vendors.

The identified 86% represent an increase from 2011, when non-Microsoft programs represented 78% of vulnerabilities discovered in the Top 50 most popular programs. The remaining 14% of vulnerabilities were found in Microsoft programs and Windows operating systems – a much lower share compared to 2011, indicating that Microsoft continues to focus on security in their products.

Number of vulnerabilities is on the increase

"Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level. The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure: It only takes one vulnerability to expose a company, and no amount of processes and technology that supports operating systems and Microsoft programs will suffice in providing the required level of protection," said Morten R. Stengaard, Secunia's Director of Product Management.

The Secunia Vulnerability Review 2013 documents that the number of vulnerabilities discovered in the 50 most popular programs on private PCs has increased by 98% over the past 5 years, and non-Microsoft programs are the culprits. Consequently, it is becoming more and more necessary for companies to invest and focus on vulnerability and patch management in order to deal with the root cause of many security issues: vulnerabilities in software.

Information technology research company Gartner's research emphasizes the risk software vulnerabilities pose to organizations, and presents a strong argument for a proactive approach to getting patch management up to speed:

"Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and be detectable via security monitoring. [...] Applications are the gateways to the data that is the focus of a targeted attack. Dynamic application security testing (DAST) tools can be used to scan productions applications to find vulnerabilities. When a vulnerability is present on a running application, production data is at risk, and remediation cycle times are long – typically taking multiple months."(*1)

Ignore at your own peril

Gartner places "patching beyond just the OS (common applications) on all systems" among their "Best Security" recommendations for securing midmarket IT environments (*2).

Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs. And ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary.

'Reckless', because in the most popular 50 programs, no less than 1,137 vulnerabilities were discovered in 18 different programs - that's an average of 63 vulnerabilities per vulnerable product in the most popular programs on private PCs worldwide.

'Unnecessary', because Secunia's research also demonstrates a positive trend: In 2012, 84% of vulnerabilities had a patch available on the day they were disclosed

"This means that it is possible to remediate the majority of vulnerabilities. There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them," said Morten R. Stengaard.

The fact that 84% of vulnerabilities have a patch available on the day of disclosure is an improvement to the previous year, 2011, in which 72% had a patch available on the day of disclosure. The most likely explanation for this improvement in 'time-to-patch' is that more researchers coordinate their vulnerability reports with vendors.

(*1): Gartner Research: "Adapting Vulnerability Management to Advanced Threats", August 2012.

(*2) Gartner Webinar: Best Practices for Securing Midmarket IT Environments, February 2013

Key findings from the Secunia Vulnerability Review 2013

1. Non-Microsoft (third-party) programs rather than programs from Microsoft are responsible for the growth in vulnerabilities.

2. Over a five year period, the share of third-party vulnerabilities has increased from 57% in 2007 to 86% in 2012. From 2011 to 2012 alone, the number increased from 78% to 86%.

3. 86% of vulnerabilities in 2012 affected third-party programs, by far outnumbering the 5.5% of vulnerabilities found in operating systems or the 8.5% of vulnerabilities discovered in Microsoft programs.

In 2011, the numbers were 78% (non-Microsoft), 10% (operating systems) and 12% (Microsoft).

4. The total number of vulnerabilities in the Top 50 most popular programs was 1,137 in 2012, showing a 98% increase in the 5 year trend. Most of these were rated by Secunia as either 'Highly critical' (78.8%) or 'Extremely critical' (5.3%).

5. The 1,137 vulnerabilities were discovered in 18 products in the Top 50 portfolio - that's 63 vulnerabilities per vulnerable product on average.

6. In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them. That means there's an average of 4 vulnerabilities per vulnerable product.

7. 84% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organizations. In 2011, the number was 72%.

About the Secunia Vulnerability Review 2013

The Secunia Vulnerability Review 2013 analyzes the evolution of software security from a global, industry, enterprise, and endpoint perspective. It presents data on vulnerabilities and exploits and the availability of patches and correlates this information with the market share of programs to evaluate the true threats.

Identifying the 50 most popular programs (the Top 50 portfolio):

To assess how exposed endpoints are, we analyze the types of products typically found on an endpoint. For this analysis we use anonymous data gathered from scans throughout 2012 of the millions of private computers which have the Secunia Personal Software Inspector (PSI) installed.

PSI users' computers have an average of 72 programs installed on them – from country to country and region to region there are variations as to which programs are installed. For the sake of clarity, we have chosen to focus on the state of a representative portfolio of the 50 most common products found on the computers. These 50 programs are comprised of 29 Microsoft programs and 21 third-party programs.

Learn more at: secunia.com/vulnerability-review

About Secunia

Founded in 2002, Secunia is the leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia's award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia is headquartered in Copenhagen, Denmark.

For more information, please visit secunia.com

Follow Secunia

Twitter: http://twitter.com/Secunia

Facebook: http://www.facebook.com/Secunia

Blog: http://secunia.com/blog/

LinkedIn: http://www.linkedin.com/company/secunia

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...