Don't blame it on Microsoft: The lion's share of vulnerabilities last year were in third-party applications, with 78 percent of all bugs, versus 10 percent in Microsoft software products, according to a new report published today.

Secunia's annual report for 2011 found that the number of endpoint flaws jumped past 800 bugs, more than half of which were considered very critical.

"What we see is a consolidation, with fewer vendors responsible for more vulnerabilities," says Stefan Frei, research analyst director for Secunia. "Most of the vulnerabilities are highly critical and exploitable."

The jump in third-party flaws is dramatic when compared with 2006, when it was less than half, at 45 percent. Around 12 percent of last year's bugs were in operating systems. Secunia also found that more than half of software programs that are vulnerable in an organization with more than 600 programs aren't vulnerable the next year. And half that are not vulnerable one year will be the next. "Therefore, identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources," Frei said in a statement.

And while vulnerabilities decreased last year overall, the top 20 commercial and open-source software providers were not able to whittle down the number of bugs in their products, according to the report.

That shocked Frei. "Despite all the investment the made into security, none of them achieved the result of reducing the number of vulnerabilities in 2011 compared to the previous five years," he says. "I would have expected an even playing field where some would have decreased or increased. It shows that this is an arms race and still a very complex problem."

Organizations are most at risk at the endpoint, the report says, and it takes about 12 different update mechanisms -- including Microsoft's -- to secure the average endpoint. And even lesser-known or used software applications can be at risk, Secunia found.

A full copy of the Secunia Yearly Report for 2011 is available here for download.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.