New vulnerabilities kick off 2015

virtual padlock

There's always that tiny glimmer of hope that in some way a new year is going to be somehow different from and better than the one that went before.

Usually it's extinguished quite quickly and it seems that, in software terms at least, 2015 is no exception according to the latest vulnerability report from Secunia released today.

It finds that in the last quarter of 2014 there were 1,357 new vulnerabilities in the 20 most used software products and that the vendor with the most vulnerable products in the period was IBM. The single product with most vulnerabilities was X.Org Xserver, the open source X Window implementation.

2015 meanwhile has got off to a bang with two zero day vulnerabilities for Adobe Flash in January and one at the beginning of February. As Secunia points out a zero day in a popular product like Flash, "...means there are more entry points into any organization. The only thing to do about it is to either remove the affected product from everywhere in your infrastructure -- which can effectively paralyze your business -- especially when the affected application is bundled and widespread -- or have complete visibility to your systems and complete data control."

The report also highlights a new set of patches for Java in Oracle's January update which see 19 vulnerabilities fixed. Java is high on Secunia's 'Most Exposed' product list thanks to its large market share, but many users simply don't bother to patch it.

The Ghost vulnerability in GNU Library C was patched in version 2.18 as long ago as 2013. However, older versions are often bundled in other applications which may remain unpatched. Secunia has issued advisories on 24 products made vulnerable by Ghost, including McAfee, Cisco, IBM, Red Hat and Xerox. Exploitation of Ghost may allow for remote code execution so users are advised to make sure their product patches are up to date.

There's some praise for Google in the report for relaxing its strict 90-day rule on disclosing vulnerabilities. On 13 February it amended its policy to allow a two week grace period to allow vendors to release patches.

You can read more about Secunia's vulnerability reviews on the company's website.

Image Credit: Pavel Ignatov / Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.