The Secunia Vulnerability Review findings support that the primary threat to endpoint security for corporations and private users alike comes from non-Microsoft programs, and that vulnerability and patch management efforts must span much wider than to just deal with the familiar interfaces of Microsoft software and a few usual suspects from other vendors.
The identified 86% represent an increase from 2011, when non-Microsoft programs represented 78% of vulnerabilities discovered in the Top 50 most popular programs. The remaining 14% of vulnerabilities were found in Microsoft programs and Windows operating systems – a much lower share compared to 2011, indicating that Microsoft continues to focus on security in their products.
Number of vulnerabilities is on the increase
"Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level. The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure: It only takes one vulnerability to expose a company, and no amount of processes and technology that supports operating systems and Microsoft programs will suffice in providing the required level of protection," said Morten R. Stengaard, Secunia's Director of Product Management.
The Secunia Vulnerability Review 2013 documents that the number of vulnerabilities discovered in the 50 most popular programs on private PCs has increased by 98% over the past 5 years, and non-Microsoft programs are the culprits. Consequently, it is becoming more and more necessary for companies to invest and focus on vulnerability and patch management in order to deal with the root cause of many security issues: vulnerabilities in software.
Information technology research company Gartner's research emphasizes the risk software vulnerabilities pose to organizations, and presents a strong argument for a proactive approach to getting patch management up to speed:
"Through 2015, 80% of successful attacks will exploit well-known vulnerabilities and be detectable via security monitoring. [...] Applications are the gateways to the data that is the focus of a targeted attack. Dynamic application security testing (DAST) tools can be used to scan productions applications to find vulnerabilities. When a vulnerability is present on a running application, production data is at risk, and remediation cycle times are long – typically taking multiple months."(*1)
Ignore at your own peril
Gartner places "patching beyond just the OS (common applications) on all systems" among their "Best Security" recommendations for securing midmarket IT environments (*2).
Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs. And ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary.
'Reckless', because in the most popular 50 programs, no less than 1,137 vulnerabilities were discovered in 18 different programs - that's an average of 63 vulnerabilities per vulnerable product in the most popular programs on private PCs worldwide.
'Unnecessary', because Secunia's research also demonstrates a positive trend: In 2012, 84% of vulnerabilities had a patch available on the day they were disclosed
"This means that it is possible to remediate the majority of vulnerabilities. There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them," said Morten R. Stengaard.
The fact that 84% of vulnerabilities have a patch available on the day of disclosure is an improvement to the previous year, 2011, in which 72% had a patch available on the day of disclosure. The most likely explanation for this improvement in 'time-to-patch' is that more researchers coordinate their vulnerability reports with vendors.
(*1): Gartner Research: "Adapting Vulnerability Management to Advanced Threats", August 2012.
(*2) Gartner Webinar: Best Practices for Securing Midmarket IT Environments, February 2013
Key findings from the Secunia Vulnerability Review 2013