16:00 CET on the 14th March 2013 Entry written by Morten Stengaard, Director, Product Management & Quality Assurance.
The Secunia Vulnerability Review 2013, published today, documents that patching is as important as ever, and that non-Microsoft (third-party) programs pose one of the largest threats to IT infrastructures and private PCs alike.
The absolute number of vulnerabilities is on the increase – Secunia numbers show a 15% increase over the past five years in all products, globally.
But this year, the Secunia Vulnerability Review pays special attention to those 50 most popular programs, because what happens in the Top 50 affects all computer system and talks to both the SMB as well as the large enterprise. Even more so today, as the BYOD (Bring-Your-Own-Device) dilemma increasingly challenges IT teams and impacts security everywhere. While the benefits are many to both employers and employees – the mutual flexibility and accessibility, to name the obvious ones – BYOD is a double-edged sword: There are substantial security concerns involved in this merge of the private and the professional spheres. When employees bring their own devices, they also bring their own applications and digital habits, and thereby introduce the security threats from their own device into the corporate environment. Our data shows a whopping 98% increase in vulnerabilities in the 50 most popular products, globally – in 2012, the number was more than 1,100 vulnerabilities. And 86% of those vulnerabilities come from non-Microsoft (third-party) programs.
Overall, it is fair to conclude that the greatest threat is Non-Microsoft programs. Unfortunately, it also means that the automatic security updates Microsoft issues only has an impact on a very small share of the vulnerabilities that threaten any computer – in fact only 8.5%. This in turn means that IT professionals need to prioritize patching Non-Microsoft programs if they want to protect their organizations from the root cause of security issues: Vulnerabilities in software. The trouble with this scenario is that non-Microsoft programs are considerably more difficult to patch as several different update mechanisms are required to do so. There is, to date, not one fix-it-all solution - companies need to leverage strong Microsoft technologies (if they have an Microsoft-based infrastructure, of course) and then find best practice partners and suppliers that can help them address the third-party threat …
And patching is required, because one single vulnerability in a common piece of software is all it takes for cybercriminals to compromise the security of an organization’s infrastructure. To assume that cybercriminals only focus on the ten most popular programs is naïve – while there is no question attackers do go after the larger attack surface the popular programs provide, they can also gain a great deal by going after number 48.
While the ultimate solution lies with the software vendors, who need to spend significantly more resources building secure programs and keep their customers apprised of threats and solutions, it is imperative that businesses take matters into their own hands and protect themselves.
How? By patching the right programs, in the right order and at the right time!
And this is where the good news from the Secunia Vulnerability Review 2013 comes in: The time to patch has improved quite impressively. In fact, in 2012, 84% of vulnerabilities had patches available on the day of disclosure. In 2011, the number was only 72%. The most likely explanation for this improvement in ‘time-to-patch’ is that more researchers coordinate their vulnerability reports with vendors.
So it is possible to remediate the majority of vulnerabilities. The trick is in knowing what to patch!