Decrease in patch rates points to broken software supply chain

Vulnerabilities in software are at the heart of many security problems, providing a foothold for hackers that they can use to gain access to systems.

The latest Vulnerability Review from the Secunia Research arm of Flexera Software maps the security threat presented to IT infrastructures and explores vulnerabilities in the 50 most popular applications on private PCs.

The study finds that in 2016, 81 percent of all vulnerabilities, and 92.5 percent of applications, in what it identifies as the Top 50 Software Portfolio, that were impacted by vulnerabilities had patches for those vulnerabilities available on the day of disclosure. However, even with an increase in available patches, the report shows a decrease in patch rates -- a clear indicator, says the company, that the software supply chain is broken.

"The software supply chain is very unique in industry -- it is not uncommon for software producers to release products containing exploitable vulnerabilities, which then becomes their customers' problem. That is why software buyers must be vigilant when buying, managing, and securing their software," says Kasper Lindgaard, director of Secunia Research at Flexera Software. "As our report details, patches are available in the majority of times a vulnerability is disclosed. Companies need to take advantage of this knowledge, and actively apply patches in a timely manner."

PDF readers are identified as being particularly at risk. Adobe Reader ranks 31st in the Top 50 Software Portfolio and is installed on 40 percent of personal computers. It also has a large amount of vulnerabilities. However, 75 percent of its private users were running unpatched versions of Adobe Reader in 2016, despite patches being available.

There's good news in the number of zero-day vulnerabilities which at 22 was a little lower than in 2015. The split between vulnerabilities in Microsoft and non-Microsoft products in the 50 most popular applications on private PCs is at 22.5 percent and 77.5 percent. Most vulnerabilities -- 81 percent -- have a patch available on the day of disclosure. Things tail off rapidly after that though with only an additional one percent having a patch 30 days after the vulnerability was first disclosed.

For organizations with many endpoints to manage, including devices not regularly connected to corporate networks, this means putting in place measures to ensure sufficient protection.

You can find out more in the full report which you can download from the Flexera website.

Image Credit: alexskopje / Shutterstock