In 2014, 15,435 vulnerabilities were discovered according to data from Secunia Research. The vulnerabilities are spread across 3,870 applications published by 500 different vendors, and these numbers alone demonstrate the challenge faced by IT teams trying to protect their environment against security breaches.
Obtaining full visibility to ascertain risk is not simple. In addition to known vulnerabilities in known products in the infrastructure, users have to deal with the opaque area that is bundling: vendors bundle their products with, for example, open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems.
And, as the several incidents in 2014 of vulnerabilities in open source applications and libraries demonstrate, not all vendors can be relied upon to inform their users when vulnerabilities in open source applications affect their products.
“In fact, when we look at the number of days lapsed between the times when OpenSSL vulnerabilities were disclosed, until third-party vendors informed of their product being vulnerable, we find that there is no general pattern to response times. Consequently, organizations can not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open source libraries,” says Kasper Lindgaard, Director of Research and Security at Secunia.
For those applications that are known to the security teams, the data for 2014 shows an encouraging trend: Of all the 15,435 vulnerabilities, a full 83% had a security patch available on the day the vulnerability was disclosed to the public. This number represents a continued improvement in time-to-patch, particularly when taking a retrospective view of the last six years and the low of 49.9% recorded in 2009 in all products.
Total numbers across all applications
- In 2014, a total of 15,435 vulnerabilities were discovered in 3,870 products from 500 vendors.
- The number of vulnerabilities shows a 55% increase in the five year trend, and an 18% increase from 2013 to 2014. The number of vulnerable products has increased by 22% from 2013 to 2014.
- 83% of vulnerabilities in all products had patches available on the day of disclosure in 2014.
- 25 zero-day vulnerabilities were discovered in total in 2014, compared to 14 the year before.
- 20 of the 25 zero-day vulnerabilities were discovered in the 25 most popular products – 7 of these in operating systems.
- 11% of the 15,435 vulnerabilities discovered in 2014 were rated as ‘Highly Critical’, and 0.3% as ‘Extremely Critical’.
- In 2014, 1,035 vulnerabilities were discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari. That is a 42% increase from 2013.
- In 2014, 45 vulnerabilities were discovered in the 5 most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
The 50 most popular applications on private PCs
- 1,348 vulnerabilities were discovered in 18 products in the Top 50 most popular applications on private PCs.
- 77% of vulnerabilities in the 50 most popular applications on private PCs in 2014 affected non-Microsoft applications, by far outnumbering the 2% of vulnerabilities found in the Windows 7 operating system or the 21% of vulnerabilities discovered in Microsoft applications.
- The 16 non-Microsoft applications only account for 31% of products but are responsible for 77% of the vulnerabilities discovered in the Top 50.
- Microsoft applications (including the Windows 7 operating system) account for 69% of the products in the Top 50, but were only responsible for 23% of the vulnerabilities.
- Over a five year period, the share of vulnerabilities in non-Microsoft applications hovers around 78% in the Top 50.
- The total number of vulnerabilities in the Top 50 most popular applications was 1,348 in 2014, showing a 42% increase in the 5 year trend. Most of these were rated by Secunia as either ‘Highly critical’ (64.9%) or ‘Extremely critical’ (9.7%).
- 87% of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2014.