Secunia Research last year spotted over 16,000 vulnerabilities across more than 2400 products, with nearly 14% rated “extremely” or “highly” critical, highlighting the increasing pressure IT admins are under to patch systems as soon as possible.
The Flexera Software business’ Vulnerability Review for the year recorded a total of 16,081 bugs in 2484 products from 263 vendors.
This was up from the 15,698 vulnerabilities found last year, despite the firm reducing the number of products (by 36%) and vendors (49%) it analyzed to better reflect the environments of its customers.
Some 1114 vulnerabilities were discovered in the five most popular browsers – Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari – and 147 bugs were spotted in the most popular readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
As in previous years, Secunia also analyzed the Top 50 most popular applications on customers’ PCs.
Last year’s stats highlighted the same issues facing IT administrators; namely that although 84% of vulnerabilities have a patch available on the day of disclosure, the problem is in coping with the disparate security update mechanisms of all of the third party software running in typical environments.
For example, 79% of vulnerabilities came from non-Microsoft products, which have no standardized update system.
Secunia Research director, Kasper Lindgaard, argued that third party software firms could take a leaf out of Microsoft’s book.
“Automated updates for applications in wide use on private PCs is definitely something we recommend,” he told Infosecurity. “For applications in corporate environments, auto-updates are often not applicable.”
In fact, Microsoft fared pretty well out of the study, with its products only responsible for 21% of bugs found in the Top 50 applications, despite accounting for 67% of the products themselves.
The number of zero day vulnerabilities – 25 – was the same as in 2014.
However, this is likely because they take a lot of time and effort to research and that hackers are already doing pretty well exploiting known vulnerabilities, rather than any improvement in the quality of coding.
“The majority of successful breaches use publically known vulnerabilities – and as the Vulnerability Review shows, around 85% of all vulnerabilities have a patch available on the day of disclosure,” said Lindgaard.
“This means that IT teams could patch the majority of vulnerabilities, thereby closing the entry points before hackers use them to gain access.”