Lazy patching ensuring new vulnerability volumes continuing to rise: GFI

The number of reported operating-system and application vulnerabilities continued to rise during 2013 and is unlikely to slow given the continuing deficiencies in corporate patching strategies, according to the local technology head of GFI Software.

GFI, which develops a number of network and content security tools, has built up a database of more than 50,000 application and operating-system vulnerabilities from a range of sources – and saw it grow by 4794 vulnerabilities, or 13 new vulnerabilities on average, per day over the past year.

Around one-third of the new vulnerabilities were classified as 'high severity', indicating that if it were exploited the hackers could cause considerable damage to the victims' computers.

Despite this threat, APAC technology manager Kris Hansen – who is based in the global company's Australian headquarters in Adelaide – told CSO Australia that “third-party apps are the biggest flaw” and that – while Microsoft has become relatively more secure because it has been able to quickly remediate vulnerabilities through regular automatic updates – a significant portion of customers in Australia and elsewhere are still skipping many recommended security updates for third-party applications.

“Microsoft are locking down their operating system a bit better, but it's amazing how many computers we go out and find a Java Runtime Environment [JRE] that's three years old,” he said, although the GFI analysis did note that Microsoft still had the largest number of 'high severity' vulnerabilities.

Many of those continued to persist despite the availability of fixes, Hansen said.

“The issue is the scale of actually checking on the third-party patches,” he explained. “Admins I talk with get that this is where the real targets are, but when they have 2000 computers on the network it's just not practical.”

Oracle was by far the most vulnerable vendor, with a surge in high-impact vulnerabilities from 76 in 2012 to 131 last year and a jump in the total number of vulnerabilities from 424 in 2012 to 514 in 2013. Java accounted for 193 of these vulnerabilities, over 100 of which were classified as 'critical'.

Applications accounted for 75 per cent of reported vulnerabilities in 2013 while operating systems made up just 19 per cent of vulnerabilities. This was a change from the previous year, where operating system weaknesses accounted for just 10 per cent of vulnerabilities.

Of the operating systems analysed, the Linux kernel had the largest number of vulnerabilities, with 158 flaws reported – although just 15 of these (9 per cent) were classified as 'high severity'. Microsoft Windows Server 2008, by contrast, ranked second with 104 vulnerabilities during 2013 – but 58 of these (56 per cent) were 'high severity'.

Microsoft Windows XP, which is over a decade old, still saw 88 new vulnerabilities discovered during 2013, including 47 high-severity weaknesses. That was double the 42 new vulnerabilities reported in 2012, reflecting an apparent growing interest on hackers' part as the platform enters its final weeks of official Microsoft support.

The discontinuation of security updates for Windows XP has increasingly been fingered as representing a significant security threat to all kinds of businesses, with point-of-sale devices and ATMs among the biggest potential concerns.

Oracle's Java (193 vulnerabilities), Google Chrome (168), Microsoft Internet Explorer (128) and Adobe Acrobat (63) all saw a jump in the number of vulnerabilities during 2013 while Mozilla Firefox (149), Mozilla Thunderbird (113), Mozilla SeaMonkey (104), Mozilla Firefox ESR (100), Mozilla Thunderbird ESR (87), Adobe Flash Player (56) and Adobe Air (48) all saw a decline in the number of new vulnerabilities.

The sheer diversity of solutions was a major contributor to the continued incidence of new vulnerabilities, Hansen said. “If we have different pieces of software talking to each other, if those pieces of software need to talk to each other through a common infrastructure, someone is going to exploit that infrastructure.”

“We're always going to have the problem,” he continued. “While you allow environments to be diverse and to communicate with third parties, it's always going to be this game of trying to stay ahead.”

Join the CSO newsletter!

Error: Please check your email address.

Tags patchingpatch management

More about Adobe SystemsAPACCSOESRESRGFIGFI SoftwareGoogleLinuxMicrosoftMozillaOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts