14:00 CET, 28th January 2011 By Secunia.
There is an on-going arms-race in the IT security industry between vendors striving to produce secure software, and researchers’ and cybercriminals’ efforts (and successes) in finding new vulnerabilities in software. The number of vulnerabilities in general over the last five years reached over 4,300 on average per year with no significant up- or downward trend. During the period from 2009 to 2010, the number actually decreased by 3%. Therefore it is fair to say that, on a large scale, the security ecosystem appears to be in a sort of state of equilibrium regarding the current rate of vulnerabilities. Vulnerabilities are counted as the number of unique CVEs.
However, computer users cannot be complacent. Significantly, Secunia’s Yearly Report for 2010 revealed that out of more than 4,000 vendors on the market today, just 14 vendors with products in use on millions of private and corporate systems daily, were responsible for over half of the vulnerabilities discovered in the last two years: Adobe Systems, Apache Software Foundation, Apple, Cisco, Google, HP, IBM, Kernel.org, Microsoft, Mozilla Organization, Novell, Oracle (includes Sun Microsystem, BEA, and Peoplesoft as a result of recent acquisitions), RealNetworks, and VMware.
Unfortunately vulnerabilities are still the ‘Achilles’ Heel’ of any IT system particularly for end-point PCs. An alarming trend for this sub-section was also highlighted: cybercriminals are now focusing their specific efforts on end-users. Vulnerabilities on end-points are commonly exploited when users visit a malicious website (with content controlled or injected by an attacker), or open data, files, or documents with one of the numerous programs and plug-ins installed on their end-points. The sheer variety and prevalence of programs found on typical end-points, coupled with unpredictable user usage patterns, make end-points an attractive and easy to exploit target for cybercriminals.
To read the rest of the article, visit HelpNet at: http://www.net-security.org/article.php?id=1553