Don't forget non-mainstream platforms in patching regime, Secunia warns

Some 2211 new software vulnerabilities were discovered over the past three months alone, the latest quarterly audit by security solutions provider Secunia has found.

IBM was named as the vendor with the most vulnerable products over the past 3 months, with the Avant Browser named as the single most exposed product with 206 vulnerabilities attributed to its combination of both Chrome and Firefox rendering engines – and their attendant vulnerabilities.

CSOs needed to be careful to evaluate risk across all of their technology platforms, Secunia advised, and needed to ensure they patched even less-mainstream operating systems and applications as well as the Windows and Linux server platforms – previously flagged by security firm Trustwave as having the “[[xref: |worst response time]]” for patching – that get most mainstream attention.

“Rather than keeping an eye on the news stories about vulnerabilities as they pop up,” the report warns, “you are much better off simply realizing that all software, hardware, middleware and firmware is potentially and probably vulnerable and that the product name doesn’t guarantee much – certainly not impregnable code.”

Google's Chrome browser topped May's [[xref: |Secunia Vulnerability Update]] leaderboard with 54 vulnerabilities, but was pushed out of the top 20 in June as a host of tools from pfSense, AlienVault, IBM and Microsoft climbed ahead of it. The Avant Browser trumped them all in July, with its 206 vulnerabilities putting blue sky between it and IBM Flex System Manager Node (140 vulnerabilities), Apple's Mac OS X (91 vulnerabilities), Oracle Solaris 11 (50 vulnerabilities), Microosft Windows Server 2012 (49 vulnerabilities) and other platforms.

Earlier this year, the 2015 Worldwide Network Barometer published by integration giant Dimension Data found that 48 percent of Australia's network equipment is so old that it's no longer eligible to receive security patches; despite this, many Australian companies were [[xref: |responding reactively]] by only upgrading equipment on a case-by-case basis.

Most businesses [[xref: |lack formal systems]] for tracking sensitive data or managing patch management, according to a recent Trustwave report. To make the situation even harder, Secunia's surveys have seen wide variations in the list of most-vulnerable products over time, highlighting what Secunia director of research and security Kasper Lindgaard said was a reminder for IT-security staff that patching regimes needed to extend across the entire IT infrastructure.

“You shouldn't assume that, by patching the 10 high-profile software names that spring to mind when you think about what is in your infrastructure, you are all set and secure,” Lindgaard said in a statement.

“Keeping track of what makes your environment vulnerable is an ongoing and complex task that requires a combination of vulnerability intelligence and visibility of applications, devices and business critical data in your systems.”

Read more: Australian PC users worse at patching Windows than New Zealanders, but both lead US: Secunia

Other recent Secunia research found that Australian PC users were [[xref: |worse at keeping their Windows PCs up to date]] than New Zealanders, but still well ahead of their US counterparts.

Recognising that patching has become an unwieldy challenge in increasingly fragmented IT ecosystems – and that attackers are [[xref: |rapidly taking advantage]] of windows of opportunity around unpatched bugs – vendors have recently stepped up their efforts to facilitate the process for their corporate clients. Microsoft, significantly, has made the application of [[xref: |patches in Windows 10]] both [[xref: |transparent and automatic]], while makers of Android-based devices have recently [[xref: |stepped up their efforts]] in applying Android security patches.

Blast from the past?

Read more: Security Watch: Verizon 2015 Data Breach Investigations Report – sophistication and old techniques come together

Try our new Space Invaders inspired video game NOW.

What score can you get ?

Join the CSO newsletter!

Error: Please check your email address.

Tags Google's ChromeAustralian PC userssoftware vulnerabilitiesVulnerability UpdateKasper LindgaardIBM Flex System Manager Nodesecurity patchesdimension dataApple's Mac OS Xnon-mainstream platformsecuniaIT-security

More about AlienVaultAppleAvantDimension DataGoogleLinuxMicrosoftOracleSecuniaTrustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts