It's that time of year again, and the latest Secunia Vulnerability Review has been published. This analysed anonymous data gathered from scans right across 2014 of millions of computers which have Secunia Personal Software Inspector (PSI) installed and revealed some interesting statistics. On average, the computers used by the people running PSI had 76 programs installed on them and these vary from country to country. Secunia focussed its attention on what it calls "a representative portfolio of the 50 most common applications" which compromised 34 Microsoft and 16 non-Microsoft ones. So what did the analysis discover? You might be surprised if you tend to think of Microsoft as being the bad guy when it comes to vulnerable products.
In total, there were 15,435 vulnerabilities across 3,870 applications published by 500 different vendors which represents an 18% increase from the previous year in terms of vulnerabilities and 22% up when it comes to the total number of products. No wonder IT security can be a hard game to play when the surface is so broad and varied. The good news is that some 83% of the vulnerabilities in all products were patched, or at least had patches available, on the day of disclosure. Kasper Lindgaard, Director of Research and Security at Secunia, warns that while the numbers suggest an impressive 83% of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged a month later. "30 days on, Lindgaard says "just 84.3% have a patch available which essentially means that if it isn’t patched on the day of disclosure, chances are the vendor isn’t prioritizing the issue. That means you need to move to plan B, and apply alternative fixes to mitigate the risk.”
When it comes to the number of zero days, these were on the way up with 25 compared to 14 from the year before. Not only that, but of these 20 were found in the 25 most popular products and seven of them were in operating systems. Continuing with the depressing theme, 1,035 vulnerabilities were discovered in the five most popular browser clients (Chrome, Firefox, Internet Explorer, Opera and Safari) which represents a 42% increase from 2013, and 45 vulnerabilities found in the 5 most popular PDF readers (Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader) for good measure.
Interestingly, and perhaps going against the grain when it comes to the perception of Microsoft products, 77% of vulnerabilities in the 50 most popular applications on private PCs impacted non-Microsoft applications. Only 2% of vulnerabilities were found in Windows 7, and 21% in Microsoft applications in general. That said, Microsoft applications (and for this report that includes Windows 7) accounted for 69% of the products in the Top 50, and were responsible for 23% of the vulnerabilities. If you were to look at the numbers over a five year stretch, then the non-Microsoft applications vulnerability share is pretty static around the 78% mark as far as the top 50 list is concerned.