Continuing high rates of unpatched vulnerabilities highlight the importance of fixing the software industry’s backwards model for security updates, a security analyst has warned as new figures suggest that patches are either being offered immediately or not at all.
Fully 81 percent of known vulnerabilities had been addressed with patches within a day of their discovery, according to Flexera Software’s Vulnerability Review 2017, which evaluated 17,147 known vulnerabilities across 2136 products from 246 vendors.
Some 92.5 percent of the top 50 most-used software applications were hit by vulnerabilities during 2016 and many vendors were “all but begging” users to apply them, analysis by the firm’s Secunia Research division noted. However, despite these findings – which showed a 33 percent increase over five years and a 6 percent increase from 2015 – patching habits remained well below the ideal.
Fully 19 percent of all software with vulnerabilities was left that way for longer than the first day after it was disclosed, although this proportion dropped to 7.5 percent when only the most commonly-used applications were considered.
Significantly, the proportion of patched software only increased from 81 percent after 1 day, to 82 percent after 30 days – suggesting a serious shortcoming on the part of many vendors, Flexera’s director of Secunia Research, Kasper Lindgaard, told CSO Australia.
“The picture painted by these figures is that if there is not a patch available at day 1, there is more likely than not going to be a patch available at day 30,” he said. “To me, this comes down to the fact that there are still vendors out there that are not mature enough to have a proper development cycle.”
That was unacceptable, he said, in an era when makers of other consumer-targeted products –for example, healthcare, toys or automobiles – were required to proactively notify their customers of any discovered product flaws and help them remediate them.
That led to situations such as a high proportion of users running vulnerable versions of common software like PDF readers: fully 75 percent of Adobe Reader users were running a vulnerable version of that program, the report found, while 62 percent of Foxit Reader users were also exposed.
Many IT users simply didn’t have the capacity to actively track the availability of security updates for every piece of software they were running, and others were likely not really thinking about the need to update software that performs a function that many users just take for granted.
Regardless of the reason, however, users were still being handballed the onus by vendors that often had not implemented automatic updating processes or notifications about vulnerabilities.
“That’s why patching is such a big issue year after year,” Lindgaard said. “It’s a lack of awareness. For a lot of people who don’t patch, it’s basically because they don’t know that they need to patch. Either people need to be more aware, or we need to change the way that the supply chain is working within the software industry.”
Microsoft applications posted a strong improvement, with 13.5 percent of tracked Microsoft applications recording a total of 219 vulnerabilities – down from 295 vulnerabilities in 14.5 percent of the company’s products the during 2015. This was, however, offset by a surge in Windows 10 vulnerabilities from 257 in 2015, to 380 last year.
Microsoft has worked hard to improve automatic updating in Windows 10 – but the problem is likely to get worse before it gets better. The challenges getting vendors to update other vulnerable software were highlighted in a presentation by Earl Carter, a threat researcher with Cisco Systems’ Talos threat-intelligence arm.Read more: New study finds zero-day flaws live for 7 years, supporting stockpiling
Speaking at this month’s Cisco Live! conference about the growing threat from unpatched Internet of Things (IoT) devices, Carter conveyed his team’s experiences working with an IoT vendor whose products had been found to have several zero-day vulnerabilities.
Talos experts worked with the company to fix the patches, but the company had built-in no way to advise users of the vulnerability or communicate updates to those users – who had to actively go to a Web site, download new firmware, and go through the ponderous process of updating their devices manually.
“Most people aren’t going to think about updating these,” Carter warned. “We’ve seen camera vendors posting firmware with a disclaimer that if the device is working correctly, they recommend not installing it because it could break the device. That’s not really encouraging. And if we can’t get the same mechanisms [for IoT devices as for self-updating software], people aren’t going to want to update their devices.”
Indeed, many IT managers have historically been cautious about updating to fix security vulnerabilities because patches may well introduce even bigger problems within the corporate IT environment. Yet with patching a core element of the Australian Signals Directorate’s Essential Eight security protections, the need to overcome this reluctance has never been stronger.
“So much of good security is just good IT practice,” Craig Warren, infrastructure services director said in a Cisco Live! panel session. “I don’t know how often we hear that patching is a source of all evil – but it really is something we should be doing very, very well. It’s like looking after large PC fleets: we struggled with it 10 years ago, but we really should be able to do it now.”