When compared with the numbers from the previous year, 2013 has seen an increase in reported security vulnerabilities and, what’s more, the number of critical vulnerabilities has also risen – although it’s considerably smaller than in 2009.
GFI researchers have combed through the details provided by the US National Vulnerability Database (NVD), and have discovered that in 2013, an average of 13 new vulnerabilities were reported each day, bringing the total to 4794 – 447 more that in 2013.
50 percent of the flaws were found in products of only 10 vendors out of 760:
The numbers are both a testament to the number of different offerings these big firms have and to their popularity, which naturally points to the conclusion that they are more often targeted by hackers and analysed by security researchers for security flaws.
Oracle has topped the list not only because of Java vulnerabilities, but also because of hardware flaws found in the company devices. Still, Microsoft can’t sigh a sigh ot relief, as the company has had a huge rise in “high severity” vulnerabilities when compared to 2012 numbers.
Critical vulnerabilities found in its various operating systems made Microsoft occupy 8 of the first 9 spots on the list of most targeted OSes in 2013:
Finally, Microsoft’s Internet Explorer, Oracle’s Java and Google’s Chrome have ended up occupying the first three spots (respectively) on the list of most targeted applications.
“From a security perspective, Oracle and Java had a bad year in 2013 with 193 vulnerabilities reported for Java, 102 of them critical,” noted GFI’s Christian Florian. “To make matters worse, an high number of the critical vulnerabilities in Java were zero-days flaws.”
Another thing to take into consideration is the fact that cyber attackers have a preference for exploiting Java vulnerabilities, because the software can be found on many computers who run different operating systems.
Keeping all this in mind, the best advice you can get to keep safe is still to keep your operating system, applications, and security software up to date, and to remove software you don’t use or need in order to minimise the attack surface.