Software vendors fail to stem tide of security flaws, report shows

Many of the software industry's top vendors are still struggling to reduce the number of vulnerabilities across all classes of products, an analysis of 2011’s flaw figures by research company Secunia has revealed.

Using its own database plus publically known Common Vulnerabilities and Exposures (CVEs), Secunia’s Yearly Report 2011 found that almost two thirds of all software vulnerabilities are caused by products from only 20 vendors.

These appear to divide into two groups, with companies such as Microsoft, Apple, and IBM showing significant reductions in the number of vulnerabilities found in their products year-on-year, leaving most of the rest to show significant increases.

At the top of the list on the one-year scale were open source vendors, although Secunia points out that the shared nature of the code used by companies such as Novell, Red Hat, Debian, and Gentoo probably exaggerates the issue for any one of them.

Harder to explain is Oracle, which showed a increase between 2010 and 2011 of 34 percent, reaching a total of 497 vulnerabilities, all originating within its own development.

The high point for vulnerabilities remains the complacent eras of 2006, since when overall vulnerability numbers (measured either using Secunia’s database of the public CVE reports) have shown modest declines.

However, when the critical top 20 were measured against the five-year trend the picture changed again with all showing significant increases, some in the hundreds of percent.

Top of this list was Google, which rose on either one year or five year timescales, again a reflection of the large number of shared components used in the company’s software.

The question Secunia raises is which vulnerabilities matter the most – the large number of relatively obscure ones or those found in popular and shared products – and is it possible to say that the situation is getting better or worse.

In the minds of admins what matters the most is which vulnerabilities are being exploited and here Secunia’s notes the tendency to pay closest attention to software from prominent companies such as Microsoft. In fact, of the roughly 870 vulnerabilities that have hit the 50 most popular Windows products since 2007, 685 were in third-party software.

“The incorrect perception that Microsoft programs still represent the primary attack vector, means that defences based on this false assumption are as effective as locking the front door to your home while the back door remains wide open,” say the report authors.

In 2011, about one in five vulnerabilities were rated as serous, Secunia found.

Secunia’s report will probably make depressing reading for the admins tasked with defending networks using patching regimes and as much vigilance as they have time to muster.

Given the software complexity of the average PC, keeping the average machine patched means negotiating the patching mechanism of 12 different updating systems just to keep on top of the top 50 applications. Beyond that, a further 78 percent of vulnerabilities affecting PCs require interacting with another 11 updating mechanisms.