Third-party programs responsible for 76% of vulnerabilities in popular software

Third-party programs are responsible for 76% of the vulnerabilities discovered in the 50 most popular programs in 2013, say the results of Secunia’s Vulnerability Review 2014, which is based on a sampling of the company’s seven million PSI users.

The Secunia Vulnerability Review analyzes the global vulnerability trends, and takes a particularly thorough look at the 50 most popular programs on private PCs – the Top 50 portfolio. Those 50 programs pervade enterprise IT infrastructures, either as integral business tools that are approved, monitored and maintained by IT operations – for example PDF readers and internet browsers; or as apps on the private devices of employees and management, used in the workplace with or without permission.

In these Top 50 programs, a total of 1,208 vulnerabilities were discovered in 2013. Third-party programs were responsible for 76% of those vulnerabilities, although these programs only account for 34% of the 50 most popular programs on private PCs.

The share of Microsoft programs (including the Windows 7 operating system) in the Top 50 is a prominent 33 products – 66%. Even so, Microsoft programs are only responsible for 24% of the vulnerabilities in the Top 50 programs in 2013.

While there is an abundance of vulnerabilities, it is important to emphasize that one vulnerability is all hackers need to breach security.

A recent and unusually well-documented example of how one well-known vulnerability can cause havoc is the security breach in the US Department of Energy in 2013, which incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.

The security breach in the US Department of Energy was caused by a combination of managerial and technological system weaknesses – the perfect feeding ground for hackers, enabling them to exploit vulnerabilities present in an infrastructure.

Key findings from the review:

• 76% of vulnerabilities in the 50 most popular programs on private PCs in 2013 affected third-party programs, by far outnumbering the 8% of vulnerabilities found in operating systems or the 16% of vulnerabilities discovered in Microsoft programs.

  In 2012, the numbers were 86% (non-Microsoft), 5.5% (operating systems) and 8.5% (Microsoft).

• The 1,208 vulnerabilities were discovered in 27 products in the Top 50 portfolio.
• The 17 third-party products which only account for 34% of products are responsible for 76% of the vulnerabilities discovered in Top 50.

  Of the 17 third-party programs, 10 were vulnerable. Of the 33 Microsoft programs in the Top 50, 17 were vulnerable.

• Microsoft programs (including the Windows 7 operating system) account for 66% of the products in Top 50, but were only responsible for 24% of the vulnerabilities.
• Over a five year period, the share of third-party vulnerabilities hovers around 75% – in 2013 it was at 76%.
• The total number of vulnerabilities in the Top 50 most popular programs was 1,208 in 2013, showing a 45% increase in the 5 year trend. Most of these were rated by Secunia as either “Highly critical’ (68.2%) or “Extremely critical’ (7.3%).
• In 2013, 2,289 vulnerable products were discovered with a total of 13,073 vulnerabilities in them.
• 86% of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2013; therefore the power to patch end-points is in the hands of all end-users and organizations.
• 79% of vulnerabilities in all products had patches available on the day of disclosure in 2013.
• In 2013, 727 vulnerabilities were discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari.
• In 2013, 70 vulnerabilities were discovered in the 5 most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs. Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available,” said Secunia CTO, Morten R. Stengaard.