Non-Microsoft security flaws the ones to watch, Secunia analysis finds

But patching improving

The number of security flaws affecting Windows users rose five percent last year and the culprits are overwhelmingly non-Microsoft programs, the latest study from information provider Secunia has found.

In 2012, the total number of vulnerabilities recorded by Secunia advisories and using Common Vulnerability Exposures (CVE) reached 9,776 in products from 421 different vendors, one fifth of which were rated as 'highly critical' or 'critical'.

Using data gathered by Secunia's Personal Software Inspector (PSI) program, the company found that the average PC was running 72 programs with the top 50 most commonly found software comprising 29 Microsoft programs and 21 from third parties.

Despite the number of Microsoft programs, only 14 percent of the vulnerabilities in the top 50 were caused by its software, a drop that continues a well-established trend towards third-party security flaws in recent years.

On the face of it, the top offenders in the top 50 were Google's Chrome with 291 vulnerabilities in 2011-2012, Mozilla Firefox with 257, Apple iTunes with 243, followed by Flash Player on 67, Java on 66, and Reader on 43.

Peer into Secunia's slightly convoluted presentation of the figures and it becomes clear that there is some double counting here; a Flash vulnerability will show up as a flaw in browsers as well as itself for example.

It's not clear why Secunia didn't state this more explicitly, but there is plenty of independent evidence that the top offenders for vulnerabilities in popular programs are mainly Java, Adobe's Reader and Flash browser plugins and Apple's iTunes.

Despite extensive press coverage, zero days are a surprisingly rare if sometimes significant event, with the 25 most popular 25 programs seeing only eight in the course of 2012.

This is down on the previous two years which saw 12 and 14 respectively although again it's difficult to draw any hard conclusions from this fall. Zero days become significant when they are quickly and widely exploited and how long it takes a vendor to patch them.

Encouragingly, the time to patch continues to improve, with 80 percent of all flaws having a patch available on the day they were disclosed. Browser vendors are particularly good at fixing flaws quickly, Secunia said.

What can be concluded from this is that vendors are putting more effort into patching zero days and vulnerabilities generally, and better coordinating with bug researchers. It's also true that criminals are probably researching new ones more aggressively than in the past, leaving software users caught in an uncertain limbo.

"Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level," said Secunia's director of product management, Morten R. Stengaard.

"The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure," he suggested.

In fairness to organisations, it's not clear that this is true in a year when interfaces such as Java have found themselves affected by a stream of serious flaws.

Most sysadmins will have got the message long ago - if Microsoft's Patch Tuesday is the foundation the bricks and mortar of security are now built by paying close attention to Reader, Flash and Java.

Join the CSO newsletter!

Error: Please check your email address.

Tags AppleGoogleMicrosoftsecuniasecuritymozilla

More about Adobe SystemsAppleGoogleMicrosoftMozillaPSISecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts