Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Software vendors fail to stem tide of security flaws, report shows

Admins overwhelmed by scale of patching task

Article comments

Many of the software industry's top vendors are still struggling to reduce the number of vulnerabilities across all classes of products, an analysis of 2011’s flaw figures by research company Secunia has revealed.

Using its own database plus publically known Common Vulnerabilities and Exposures (CVEs), Secunia’s Yearly Report 2011 found that almost two thirds of all software vulnerabilities are caused by products from only 20 vendors.

These appear to divide into two groups, with companies such as Microsoft, Apple, and IBM showing significant reductions in the number of vulnerabilities found in their products year-on-year, leaving most of the rest to show significant increases.

At the top of the list on the one-year scale were open source vendors, although Secunia points out that the shared nature of the code used by companies such as Novell, Red Hat, Debian, and Gentoo probably exaggerates the issue for any one of them.

Harder to explain is Oracle, which showed a increase between 2010 and 2011 of 34 percent, reaching a total of 497 vulnerabilities, all originating within its own development.

The high point for vulnerabilities remains the complacent eras of 2006, since when overall vulnerability numbers (measured either using Secunia’s database of the public CVE reports) have shown modest declines.

However, when the critical top 20 were measured against the five-year trend the picture changed again with all showing significant increases, some in the hundreds of percent.

Top of this list was Google, which rose on either one year or five year timescales, again a reflection of the large number of shared components used in the company’s software.

The question Secunia raises is which vulnerabilities matter the most – the large number of relatively obscure ones or those found in popular and shared products – and is it possible to say that the situation is getting better or worse.

In the minds of admins what matters the most is which vulnerabilities are being exploited and here Secunia’s notes the tendency to pay closest attention to software from prominent companies such as Microsoft. In fact, of the roughly 870 vulnerabilities that have hit the 50 most popular Windows products since 2007, 685 were in third-party software.

“The incorrect perception that Microsoft programs still represent the primary attack vector, means that defences based on this false assumption are as effective as locking the front door to your home while the back door remains wide open,” say the report authors.

In 2011, about one in five vulnerabilities were rated as serous, Secunia found.

Secunia’s report will probably make depressing reading for the admins tasked with defending networks using patching regimes and as much vigilance as they have time to muster.

Given the software complexity of the average PC, keeping the average machine patched means negotiating the patching mechanism of 12 different updating systems just to keep on top of the top 50 applications. Beyond that, a further 78 percent of vulnerabilities affecting PCs require interacting with another 11 updating mechanisms.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *