Vulnerabilities in 2015: 0-days, Android vs iOS, OpenSSL

Secunia has taken an early peek at the trend in vulnerabilities for 2015, and has presented the results at Black Hat USA 2015. Seven months into the year, the number of detected zero-day vulnerabilities has risen substantially compared to 2014, while the total number of vulnerabilities is largely the same as this time last year.

15 zero-days have been discovered so far in 2015, making it likely that the total 2015 number will exceed the 25 discovered in 2014. The 2015 zero-days were all discovered in popular Adobe and Microsoft products widely in use across private and professional IT systems.

“The increasing number of zero-days is not a surprise. It would be more of a concern if the number dropped, because that would mean that the zero-days we can be sure are out there were going undetected – after all, Hacking Team, the Italian company reported to be selling a product utilizing bought zero-days to governments and corporations, is not the only company of its kind out there,” said Kasper Lindgaard, Director of Research and Security at Secunia.

At 9,225 the total number of vulnerabilities discovered from January 1 to July 31st is on a par with the 9,560 discovered over the same period in 2014, but Secunia’s preliminary findings do indicate a shift in criticality ratings: A slightly higher share of the vulnerabilities discovered are rated as “extremely critical” (from 0.3% to 0.5%) and “highly critical” (from 11.1% to 12.7%) while there is a drop in the “moderately critical” category (from 28.2% to 23.7%).

Android vs iOS – what’s in a number?!

Secunia has also taken a look at the number of vulnerabilities discovered in the two most popular operating systems on mobile phones: around 80 vulnerabilities have been discovered in iOS, and approximately 10 in Android.

“The fact that fewer vulnerabilities are discovered in Android should under no circumstances be misinterpreted to imply that Android OS is more secure than iOS. The trouble with a vulnerability in Android OS is that Google, the vendor behind the operating system, has no control of its patch status on majority of the devices that run it, because those devices are produced and maintained by third-party vendors. The ‘Stagefright’ vulnerabilities discovered by Zimperium, which was disclosed last week, is a perfect example of the problem: Google has acted quickly and issued a patch, but from there on it’s up to phone vendors – Samsung, HTC, Sony, etc. – to push the patch live to the users. In comparison, Apple can issue patches and push updates directly to all devices running iOS – a much more controlled process,” said Lindgaard.

Enterprise product vendors

Secunia Research has compared the number of vulnerabilities discovered in distinct core products, used in corporate IT infrastructures, from seven major vendors: IBM, Citrix, Hitachi, HP, Juniper, Oracle and VMware.

“Hundreds of different products from these vendors contain vulnerabilities, and it is important to remember to also focus on these. On private PCs you will find the same vulnerable applications from the same vendors again and again, but in the corporate environment the list of vulnerable products is far more nuanced. While there is certainly ‘repeat business’ every month, the corporate environment contains a wide variety of products, used in all manner of business contexts, with code that is just as flawed as any other code. This means that what you patched to stay secure last month will do your security very little good next month. It is an extremely complicated task to keep your corporate environment fully patched at all times,” Lindgaard stated.

OpenSSL update

Since the Heartbleed vulnerability in OpenSSL opened the can of worms that is vulnerabilities in open source libraries in April 2014, several additional vulnerabilities have been discovered in OpenSSL and users of the library have been hit by 5 distinct waves.

OpenSSL #5 has been doing the rounds for two months and appears to be following the trail of OpenSSL #4. So far, some 100 products have been reported vulnerable by OpenSSL#5, which is a far cry from the 800 reported vulnerable by OpenSSL #2 last year. The discrepancy in the two numbers indicates that a lot of products out there are vulnerable, even though the vendors have not reported them as such.

“The fact that vendors do not report to their customers that products have been made vulnerable by OpenSSL, and consequently do not offer solutions to the customers on how they should mitigate and protect their infrastructure, makes it very hard for users to secure their environment. Because OpenSSL comes bundled in many third-party products, customers are not necessarily aware that they have it in their inventory, and so cannot take appropriate action,” explained Lindgaard.