Software vulnerabilities up 18 percent in 2014 and Microsoft isn't to blame
Errors in software, whether operating systems or applications, are usually the root cause of security issues, allowing hackers and cyber criminals a way in to systems.
In 2014, 15,435 vulnerabilities across 3,870 applications were discovered according to a new report from vulnerability intelligence specialist Secunia. That represents an 18 percent increase in vulnerabilities compared to the year before, and a 22 percent increase in the number of vulnerable products.
"Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organizations to stay on top of their environment. IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed," says Kasper Lindgaard, Director of Research and Security at Secunia.
The list of core products with the most vulnerabilities in 2014 makes for surprising reading. Google Chrome comes top with 504, it's followed by Oracle Solaris on 483, Gentoo Linux on 350, with Microsoft Internet Explorer fourth on 289. Apple's OS X is 13th with 147 and Windows 8 20th with 105.
The report points out that open source vulnerabilities often arise from bundling. The risk lies in the fact that the applications and libraries can be bundled in a variety of products and installed in a host of different contexts.
Looking at a portfolio of the top 50 most popular applications on private PCs, 1,348 vulnerabilities were discovered in 18 products. However, what's interesting is that 77 percent of vulnerabilities in the 50 most popular applications on private PCs in 2014 affected non-Microsoft applications, by far outnumbering the two percent of vulnerabilities found in the Windows 7 operating system or the 21 percent discovered in Microsoft applications.
There is some good news, of all the 15,435 vulnerabilities, 83 percent had a security patch available on the day the vulnerability was disclosed to the public. This represents a continued improvement in time-to-patch from a low of 49.9 percent in 2009.
Lindgaard adds a note of caution though, "But numbers also show that while an impressive 83 percent of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged when we look 30 days ahead. 30 days on, just 84.3 percent have a patch available which essentially means that if it isn't patched on the day of disclosure, chances are the vendor isn't prioritizing the issue. That means you need to move to plan B, and apply alternative fixes to mitigate the risk".
You can read more about the findings in the full report available to download from the Secunia website.
Image Credit: alphaspirit / Shutterstock