Annual Flexera Vulnerability Review Shows 81 Percent of All Vulnerabilities Had Available Patches, Yet Common Software Programmes Remain Unpatched
Vulnerabilities are a root cause of security issues – errors in software that can work as an entry point for hackers, and be exploited to gain access to IT systems. In 2016, Secunia Research at Flexera Software recorded a total of 17,147 vulnerabilities in 2,136 products from 246 vendors. The breadth of the problem illustrates the challenge faced by IT teams trying to protect their environment against security breaches without the necessary automation. For organisations to stay on top of their environments, IT teams must have complete visibility of the applications that are in use, and firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed.
The good news is that patches continue to be available for the vast majority of vulnerabilities at the time they become public. In 2016, 81 percent of all vulnerabilities and 92.5 percent of applications in the Top 50 Software Portfolio that were impacted by vulnerabilities, had patches for those vulnerabilities on the day of disclosure – all but begging for the user to take action to fix it. However, even with an increase in available patches, there was a decrease in patch rates – a clear indicator that the software supply chain is indeed broken. Software Vulnerability Management was designed to solve this problem by helping organisations identify vulnerable applications and systems in their environments so they can be prioritised, and remediate the problem via integrated patch management.
“The software supply chain is very unique in industry – it is not uncommon for software producers to release products containing exploitable vulnerabilities, which then becomes their customers’ problem. That is why software buyers must be vigilant when buying, managing, and securing their software,” said Kasper Lindgaard, Director of Secunia Research at Flexera Software. “As our report details, patches are available in the majority of times a vulnerability is disclosed. Companies need to take advantage of this knowledge, and actively apply patches in a timely manner.”
The rate of unpatched PDF Readers is very high. For instance, Adobe Reader has wide adoption — ranking #31 in the Top 50 Software Portfolio and installed on 40 percent of personal computers. The application has the lion share of the market and the largest amount of vulnerabilities – yet 75 percent of its private users ran unpatched versions of Adobe Reader in 2016, despite a plethora of available patches.
Patch Rates and Zero-day Vulnerabilities
Other findings in the Vulnerability Review 2017 confirm trends from previous years: at 22, the number of zero-day vulnerabilities was a bit lower than in 2015; the split between vulnerabilities in Microsoft and non-Microsoft products in the 50 most popular applications on private PCs is at 22.5 percent and 77.5 percent. And most vulnerabilities – 81 percent – have a patch available on the day of disclosure. 30 days after the vulnerability was first disclosed, only one additional percent has a patch. Particularly for organisations with a vast array of endpoints to manage – including devices not regularly connected to corporate networks – this means that a variety of mitigating Software Vulnerability Management efforts are required, to ensure sufficient protection.
Key Findings from the Vulnerability Review 2017
Total Numbers across All Applications
1. In 2016, Secunia Research at Flexera Software recorded a total of 17,147 vulnerabilities in 2,136 products from 246 vendors.
2. 81 percent of vulnerabilities in all products had patches available on the day of disclosure in 2016.
3. 22 zero-day vulnerabilities were discovered in total in 2016, a decrease of 4 compared to the year before.
4. 18 percent of the 3,416 advisories released in 2016 were rated as ‘Highly Critical’, and 0.5 percent as ‘Extremely Critical’.
5. In 2016, 713 vulnerabilities were discovered in the five most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari. That is a 27.5 percent decrease from 2015.
6. In 2016, 289 vulnerabilities were discovered in the five most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
The 50 Most Popular Applications on Private PCs
7. 1,626 vulnerabilities were discovered in 25 products in the Top 50 most popular applications on private PCs.
8. 77.5 percent of vulnerabilities in the 50 most popular applications on private PCs in 2016 affected non-Microsoft applications, by far outnumbering the 9 percent of vulnerabilities found in the Windows 7 operating system or the 13.5 percent of vulnerabilities discovered in Microsoft applications.
9. The 15 non-Microsoft applications only account for 29 percent of products but are responsible for 77.5 percent of the vulnerabilities discovered in the Top 50. Microsoft applications (including the Windows 7 operating system) account for 71 percent of the products in the Top 50, but were only responsible for 22.5 percent of the vulnerabilities.
10. Over a five year period, the share of vulnerabilities in non-Microsoft applications hovers around 78 percent in the Top 50.
11. The total number of vulnerabilities in the Top 50 most popular applications was 1,626 in 2016, showing a 15 percent increase in the five-year trend. Most of these were rated by Secunia Research at Flexera Software as either ‘Highly critical’ (65 percent) or ‘Extremely critical’ (7.5 percent).
12. 92.5 percent of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2016.
About the Vulnerability Review 2017
The annual Vulnerability Review from Secunia Research at Flexera Software analyses the evolution of software security from a vulnerability perspective. It presents global data on the prevalence of vulnerabilities and the availability of patches, maps the security threats to IT infrastructures, and also explores vulnerabilities in the 50 most popular applications on private PCs.
Identifying the 50 Most Popular Applications in the Top 50 Portfolio
To assess how exposed endpoints are, we analyse the types of products typically found on an endpoint. For this analysis, we use anonymous data gathered from scans throughout 2016 of the Personal Software Inspector users’ computers – with an average of 75 programmes installed on them. From country to country and region to region, there are variations as to which applications are installed. For the sake of clarity, we have chosen to focus on the state of a representative portfolio of the 50 most common applications found on the computers. These 50 applications are comprised of 35 Microsoft applications, and 15 non-Microsoft applications.
Different approaches to counting vulnerabilities are adopted by research houses in the vulnerability management space. Secunia Research counts vulnerabilities per product the vulnerability appears in. We apply this method to reflect the level of information our customers need, to keep their environments secure, i.e. verified intelligence on all products affected by a given vulnerability.
Although Apple Safari for Windows is categorized as end-of-life by Secunia Research, because it has not received maintenance and development for a period of three years, it is still found on 6% of PCs.