Latest news
Microsoft continues to focus on security in their products
Posted on 14 March 2013.
86% of vulnerabilities discovered in the most popular 50 programs in 2012 were in non-Microsoft (or “third-party”) programs. The result was published today in the Secunia Vulnerability Review 2013 that analyzes the evolution of software vulnerabilities from a global, industry, enterprise, and endpoint perspective.
The identified 86% represent an increase from 2011, when non-Microsoft programs represented 78% of vulnerabilities discovered in the Top 50 most popular programs. The remaining 14% of vulnerabilities were found in Microsoft programs and Windows operating systems – a much lower share compared to 2011, indicating that Microsoft continues to focus on security in their products.
"In general we see good vendor response times for 0-day vulnerabilities throughout the large software manufacturers. For coordinated disclosures and disclosures on e.g. mailing lists the timeline is longer. This is most probably due to the vendors patch release cycles. We have seen shorter time-to-patch times from most of the vendors compared to 2011, there are however still room for improvement, so the vendors can ensure that users of their software receives patches in a quicker pace," Kasper Lindgaard, Head of Research for Secunia, told Help Net Security.
Gartner places “patching beyond just the OS (common applications) on all systems” among their “Best Security” recommendations for securing midmarket IT environments.
Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs. And ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary.
‘Reckless’, because in the most popular 50 programs, no less than 1,137 vulnerabilities were discovered in 18 different programs - that’s an average of 63 vulnerabilities per vulnerable product in the most popular programs on private PCs worldwide.
The fact that 84% of vulnerabilities have a patch available on the day of disclosure is an improvement to the previous year, 2011, in which 72% had a patch available on the day of disclosure. The most likely explanation for this improvement in ‘time-to-patch’ is that more researchers coordinate their vulnerability reports with vendors.
“Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level. The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure: It only takes one vulnerability to expose a company, and no amount of processes and technology that supports operating systems and Microsoft programs will suffice in providing the required level of protection,” said Morten R. Stengaard, Secunia’s Director of Product Management.
Key findings from the report:
1. Non-Microsoft (third-party) programs rather than programs from Microsoft are responsible for the growth in vulnerabilities.
2. Over a five year period, the share of third-party vulnerabilities has increased from 57% in 2007 to 86% in 2012. From 2011 to 2012 alone, the number increased from 78% to 86%.
3. 86% of vulnerabilities in 2012 affected third-party programs, by far outnumbering the 5.5% of vulnerabilities found in operating systems or the 8.5% of vulnerabilities discovered in Microsoft programs. In 2011, the numbers were 78% (non-Microsoft), 10% (operating systems) and 12% (Microsoft).
4. The total number of vulnerabilities in the Top 50 most popular programs was 1,137 in 2012, showing a 98% increase in the 5 year trend. Most of these were rated by Secunia as either ‘Highly critical’ (78.8%) or ‘Extremely critical’ (5.3%).
5. The 1,137 vulnerabilities were discovered in 18 products in the Top 50 portfolio - that's 63 vulnerabilities per vulnerable product on average.
6. In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them. That means there's an average of 4 vulnerabilities per vulnerable product.
7. 84% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organizations. In 2011, the number was 72%.
The identified 86% represent an increase from 2011, when non-Microsoft programs represented 78% of vulnerabilities discovered in the Top 50 most popular programs. The remaining 14% of vulnerabilities were found in Microsoft programs and Windows operating systems – a much lower share compared to 2011, indicating that Microsoft continues to focus on security in their products.
"In general we see good vendor response times for 0-day vulnerabilities throughout the large software manufacturers. For coordinated disclosures and disclosures on e.g. mailing lists the timeline is longer. This is most probably due to the vendors patch release cycles. We have seen shorter time-to-patch times from most of the vendors compared to 2011, there are however still room for improvement, so the vendors can ensure that users of their software receives patches in a quicker pace," Kasper Lindgaard, Head of Research for Secunia, told Help Net Security.
Gartner places “patching beyond just the OS (common applications) on all systems” among their “Best Security” recommendations for securing midmarket IT environments.
Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs. And ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary.
‘Reckless’, because in the most popular 50 programs, no less than 1,137 vulnerabilities were discovered in 18 different programs - that’s an average of 63 vulnerabilities per vulnerable product in the most popular programs on private PCs worldwide.
The fact that 84% of vulnerabilities have a patch available on the day of disclosure is an improvement to the previous year, 2011, in which 72% had a patch available on the day of disclosure. The most likely explanation for this improvement in ‘time-to-patch’ is that more researchers coordinate their vulnerability reports with vendors.
“Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level. The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure: It only takes one vulnerability to expose a company, and no amount of processes and technology that supports operating systems and Microsoft programs will suffice in providing the required level of protection,” said Morten R. Stengaard, Secunia’s Director of Product Management.
Key findings from the report:
1. Non-Microsoft (third-party) programs rather than programs from Microsoft are responsible for the growth in vulnerabilities.
2. Over a five year period, the share of third-party vulnerabilities has increased from 57% in 2007 to 86% in 2012. From 2011 to 2012 alone, the number increased from 78% to 86%.
3. 86% of vulnerabilities in 2012 affected third-party programs, by far outnumbering the 5.5% of vulnerabilities found in operating systems or the 8.5% of vulnerabilities discovered in Microsoft programs. In 2011, the numbers were 78% (non-Microsoft), 10% (operating systems) and 12% (Microsoft).
4. The total number of vulnerabilities in the Top 50 most popular programs was 1,137 in 2012, showing a 98% increase in the 5 year trend. Most of these were rated by Secunia as either ‘Highly critical’ (78.8%) or ‘Extremely critical’ (5.3%).
5. The 1,137 vulnerabilities were discovered in 18 products in the Top 50 portfolio - that's 63 vulnerabilities per vulnerable product on average.
6. In 2012, 2,503 vulnerable products were discovered with a total of 9,776 vulnerabilities in them. That means there's an average of 4 vulnerabilities per vulnerable product.
7. 84% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organizations. In 2011, the number was 72%.
Spotlight
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Is Microsoft is reading your Skype communications?
Posted on 15 May 2013. | The question of whether Skype allows U.S. intelligence and law enforcement agencies to access the communications exchanged by its users has still not been adequately answered by Microsoft.
Internet Explorer best at blocking malware
Posted on 14 May 2013. | While Chrome’s malware download protection improved significantly, Internet Explorer 10 continues to outperform the other browsers with a block rate of 99.96%.
Researcher refuses to help Saudi telco to spy on people
Posted on 14 May 2013. | You would think that a Saudi Arabian telecom firm interested in monitoring its users' mobile communications would not be asking a well-known pro-privacy researcher for help, but you would be wrong.
Malicious browser extensions are hijacking Facebook accounts
Posted on 13 May 2013. | Facebook users - especially those in Brazil - are being targeted with malicious browser extensions trying to hijack Facebook profiles, warns Microsoft.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
