Software vulnerabilities are getting less serious over time, audit suggests

Local-network attacks continued to climb in 2015 as a proportion of all software vulnerabilities, according to a software-vulnerability audit that also found the number of 'extremely critical' vulnerabilities remained small but climbed significantly year on year.

The figures – compiled annually by Flexera and published in its Vulnerability Review 2016 – come from monitoring and testing of more than 50,000 applications, appliances and operating systems on the systems of users of Flexera Software Personal Software Inspector software.

The overall number of vulnerabilities grew by 2 percent over 2014 and 49 percent on a five-year basis, including 16,081 vulnerabilities in 2484 applications from 263 vendors. Of these, remote-access vulnerabilities were by far the most common – comprising 81.7 percent of all vulnerabilities – but those that compromise local networks grew from 2.2 percent in 2014 to 3.4 percent in 2015.

Vulnerabilities affecting local systems surged over the year, from 6 percent of all vulnerabilities in 2014 to 14.9 percent in 2015. Some 13.3 percent of vulnerabilities were classified as 'highly critical', while the proportion classified as 'extremely critical' grew from 0.3 percent to 0.5 percent of the total.

Interestingly, a time comparison of the distribution of criticality suggested that vulnerabilities were getting less severe overall, with the proportion of 'not critical' and 'less critical' vulnerabilities increasing significantly since 2010; the proportion classified as 'highly critical' decreased notably over the same period.

The vulnerability audit also evaluated the patching status of numerous Web browsers and found that Microsoft Internet Explorer was the most commonly-patched major browser, with just 9 percent of implementations unpatched; Google's Chrome (22 percent), Opera (30 percent) and Mozilla Firefox (39 percent) showed the wide range of patching practices prevalent in the wild.

Time to patch applications was measured in terms of the number of days until a software update was released to remedy a newly discovered vulnerability. Some 84.6 percent of the 50 most-common applications had patches available on the day vulnerabilities were disclosed – representing a slight drop from 86.6 percent the year before.

“Particularly for organizations with a vast array of endpoints to manage (including devices not regularly connected to networks),” the analysis noted, “this means that a variety of mitigating efforts are required to ensure sufficient protection, in support of patch management efforts.”

Such efforts were particularly important for keeping on top of Windows patches, with various Windows versions reflecting 21 percent of all vulnerabilities. The passage of time has seen the number of operating-system vulnerabilities grow strongly: from 33 Windows 7 vulnerabilities in 2014 to 144 in 2015, for example, and from 105 Windows 8 vulnerabilities in 2014 to 466 in 2015.

Some 11.8 percent of end users were still using the end-of-lifed Windows XP as of the end of 2015.

The figures offer new visibility on software-patching capabilities that have long been a weak spot in Australia's overall security profile: a recent country-based Flexera breakdown showed that the average Australian PC user had 79 programs installed from 28 vendors – including insecure and long-deprecated versions of the Java runtime environment, which were still being used by 41 percent of Flexera users.

High Consequence Cyber Crime: The Crime of the Century

Organised criminals : Harness the power of analytics to detect breaches early and minimize their exposure.

Download NOW

Join the CSO newsletter!

Error: Please check your email address.

Tags Google's Chrome2010Flexera subsidiary Secuniasoftware vulnerabilitiesSoftware security flawsCSO Australia

More about FlexeraGoogleMicrosoftMozilla

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts