Non-Microsoft security flaws the real culprit, analysis finds

The number of security flaws affecting Windows users rose 5 percent last year and the culprits are overwhelmingly non-Microsoft programs, the latest study from information provider Secunia has found.

In 2012, the total number of vulnerabilities recorded by Secunia advisories and using Common Vulnerability Exposures (CVE) reached 9,776 in products from 421 different vendors, one fifth of which were rated as 'highly critical' or 'critical'.

Using data gathered by Secunia's Personal Software Inspector (PSI) program, the company found that the average PC was running 72 programs with the top 50 most commonly found software comprising 29 Microsoft programs and 21 from third parties.

Despite the number of Microsoft programs, only 14 percent of the vulnerabilities in the top 50 were caused by its software, a drop that continues a well-established trend towards third-party security flaws in recent years.

On the face of it, the top offenders in the top 50 were Google's Chrome with 291 vulnerabilities in 2011-2012, Mozilla Firefox with 257, Apple iTunes with 243, followed by Flash Player on 67, Java on 66, and Reader on 43.

Peer into Secunia's slightly convoluted presentation of the figures and it becomes clear that there is some double counting here; a Flash vulnerability will show up as a flaw in browsers as well as itself for example.

It's not clear why Secunia didn't state this more explicitly, but there is plenty of independent evidence that the top offenders for vulnerabilities in popular programs are mainly Java, Adobe's Reader and Flash browser plugins and Apple's iTunes.

Despite extensive press coverage, zero days are a surprisingly rare if sometimes significant event, with the 25 most popular 25 programs seeing only eight in the course of 2012.

This is down on the previous two years which saw 12 and 14 respectively although again it's difficult to draw any hard conclusions from this fall. Zero days become significant when they are quickly and widely exploited and how long it takes a vendor to patch them.

Encouragingly, the time to patch continues to improve, with 80 percent of all flaws having a patch available on the day they were disclosed. Browser vendors are particularly good at fixing flaws quickly, Secunia said.

What can be concluded from this is that vendors are putting more effort into patching zero days and vulnerabilities generally, and better coordinating with bug researchers. It's also true that criminals are probably researching new ones more aggressively than in the past, leaving software users caught in an uncertain limbo.

"Companies cannot continue to ignore or underestimate non-Microsoft programs as the major source of vulnerabilities that threaten their IT infrastructure and overall IT-security level," said Secunia's director of product management, Morten R. Stengaard.

"The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure," he suggested.

In fairness to organisations, it's not clear that this is true in a year when interfaces such as Java have found themselves affected by a stream of serious flaws.

Most sysadmins will have got the message long ago - if Microsoft's Patch Tuesday is the foundation the bricks and mortar of security are now built by paying close attention to Reader, Flash and Java.

Subscribe to the Security Watch Newsletter

Comments