The Secunia Vulnerability Review 2014 has been released. The report shows that a total of 1,208 vulnerabilities were discovered last year in the top 50 most popular applications. A total of 13,073 flaws were reported in all products in 2013.
76% of these vulnerabilities impacted third party software, the rest of the security holes being uncovered in Microsoft programs. However, it’s worth noting that the third party programs in which the vulnerabilities have been found represent only 34% of the 50 most popular applications installed on private computers.
“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs,” said Secunia CTO Morten R. Stengaard.
“Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products,” Stengaard added.
“This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available.”
The report highlights the fact that 86% of the security bugs discovered in 2013 in the top 50 most popular products were actually patched on the day on which their existence was made public. In general, 79% of vulnerabilities identified in all products had patches available on the day of disclosure.
“With these numbers in mind, we can conclude that intelligent, comprehensive and deployable patch management goes a long way towards protecting IT infrastructures. And supported by an effective risk management strategy it is possible for organizations to meet the threat posed by vulnerabilities, and to protect the business-critical and sensitive information they store in their systems,” Stengaard said.
The vulnerability review analyzes the breach suffered last year by the US Department of Energy, which impacted over 100,000 people and cost the government $1.6 million (€1,17 million).
The breach – possible due to a combination of managerial and technological weaknesses – is a perfect example of why organizations need to gain proper visibility into their networks. Stengaard highlights the need for visibility so that enterprises are capable of determining the “criticality of a threat to their data.”
The complete Secunia Vulnerability Review 2014 is available on the company’s website.