Secunia CSI7
About us
Careers
Memberships
Newsroom
Contact us
Blog
News
Articles

Internet Users At Risk from Serious Software Security Flaws Claims Secunia

Get this blog as an RSS Feed
New Report from Secunia Highlights Gap in Perception between Software Patch Priorities and what Cybercriminals actually Target
14:00 CET on the 14th February 2012
Entry written by Secunia.

Copenhagen, Denmark, February 14th, 2012 – Internet users are at risk from the rapid growth in software security flaws - specifically end-point vulnerabilities - according to the  latest Yearly Report (for 2011), released today by Secunia, the leading provider of IT security solutions that help  manage and control vulnerability threats.  And, the company claims, businesses should be doing far more to help themselves by improving their patching strategies which are often less than adequate.

According to the report, third-party programs rather than programs from Microsoft are almost exclusively responsible for the growth in vulnerabilities, with the share of third-party vulnerabilities on a typical end-point, increasing from 45% in 2006 to 78% in 2011.

78% of vulnerabilities in 2011 affected third-party programs, by far outnumbering the 12% of vulnerabilities found in operating systems or the 10% of vulnerabilities discovered in Microsoft programs.  The report shows that the number of end-point vulnerabilities increased once again in 2011 to over 800 vulnerabilities – a tripling within only a few years -  more than half of which were rated by Secunia as either ‘Highly’ or ‘Extremely critical’.

The World Economic forum recently claimed that cyber crime is one of the biggest risks to global financial and political stability in 2012. “Many businesses are not doing enough to help themselves,” said Stefan Frei, Research Analyst Director, Secunia.

“By not addressing errors in software installed on typical end-points, organisations and individuals are in effect leaving their ‘windows’ wide open for cybercriminals to enter and compromise their most sensitive data,” he continued. “One problem often lies with the company’s security strategy. The programs that an organisation perceives as top priorities to patch as opposed to the programs that cybercriminals target are often vastly different. A typical corporate infrastructure contains layers of programs that organisations consider business-critical.  Many organisations will focus on patching the top layer – business-critical programs – only. Cybercriminals, however, will target all programs and only need one vulnerable program to compromise the host.”

The Secunia Yearly Report reveals that for an organisation with over 600 programs installed in their network, more than 50% of the programs that are vulnerable in one year will not be vulnerable the next year, and vice versa. “Therefore identifying all installed programs and implementing an agile, dynamic patching strategy according to criticality in the remediation phase, as opposed to a short-sighted approach of only patching a static set of preferred programs, clearly wins in terms of achieving optimal risk reduction with limited resources.  72% of vulnerabilities had patches available on the day of disclosure; therefore the power to patch end-points is in the hands of all end-users and organisations,” concluded Frei.

Other findings of the report include:

  • Vulnerabilities are resilient.  Despite the number of vulnerabilities decreasing in 2011 in general, the five-year trend identified that none of the top-20 producers of software (commercial or open source) managed to decrease the number of vulnerabilities in their products.
  • End-points are top targets.  This is because end-points are where the most valuable data (business-critical data, personal information, etc.) is found to be the least protected. Because end-points are dynamic environments with unpredictable usage patterns, this makes them difficult to defend and secure.
  • Complexity is the worst enemy of security.  The Top-50 software portfolio installed on a typical end-point comprises programs from 12 different vendors (28 Microsoft programs and 22 third-party programs). It therefore involves 12 different update mechanisms to keep a typical end-point secure (1 ‘Microsoft update’ and 11 additional update mechanisms).  The complexity involved in staying secure has a measurable effect on security levels.
  • Rare programs are also risky.  It’s not just the usual suspects that are at risk– uncommon programs can also be exposed to cybercriminal attack. Analysing the market share against exploit availability demonstrates that all programs are at risk.

The report can be downloaded from the Secunia website here.

About Secunia
Founded in 2002, Secunia is the leading provider of IT security solutions that help businesses and private individuals globally manage and control vulnerability threats, risks across their networks, and end-points. This is enabled by Secunia’s award-winning Vulnerability Intelligence, Vulnerability Assessment, and Patch Management solutions that ensure optimal and cost-effective protection of critical information assets.

Secunia plays an important role in the IT security ecosystem, and is the preferred supplier for enterprises and government agencies worldwide, counting Fortune 500 and Global 2000 businesses among its customer base. Secunia has operations in North America, the UK, and the Middle East, and is headquartered in Copenhagen, Denmark.

Follow Secunia

Contact:
Thomas Kristensen, CSO, Co-founder
tk@secunia.com
+45 2690 7565

Discuss this news entry
A new thread in our forum is created. Activate the thread by commenting/discussing below.
Subject: Internet Users At Risk from Serious Software Security Flaws Claims Secunia
 
No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability