The threat of application vulnerabilities moves fast – and it’s only with the latest facts and figures that you can make an informed decision about the platforms and processes that will keep your data safe.
To help, the experts at Secunia Research analysed a representative portfolio of the 50 most common applications found on endpoints, including both Microsoft and non-Microsoft software.
How many of these applications were vulnerable? How are vendors responding to disclosures with effective – and immediate – patches? And which types of applications are most prone to vulnerabilities?
You’ll find the full results in the Flexera Vulnerability Review 2017 – available now as a free download. But, to get you started, here are the key findings at-a-glance.
In 2016, 17,147 vulnerabilities were discovered in 2,136 applications from 246 vendors. While this is actually a reduction in the number of vulnerable applications and the number of vendors, the news isn’t as good as it seems.
In part, this reduction reflects a change in tact from Flexera and Secunia Research, focusing on only the products and vendors that its customers are actually using. This important shift makes an ongoing trend harder to assess, but means that the numbers are more relevant to the average organisation.
What’s more, the overall number of vulnerabilities continues to grow. The scale of the threat is on the rise – but, with fewer affected applications, more vulnerabilities could be closed with a single patch.
In short: the scale of application vulnerabilities is ever-growing. Resolving them with the right processes and patches is getting easier.
Worryingly, the review shows a considerable increase in the number of ‘highly critical’ vulnerabilities, climbing from 13% in 2015 to 18% in 2016.
These serious vulnerabilities can be exploited remotely with no interaction from your users, and typically exist in services like FTP and HTTP.
In fact, the only thing that stops these vulnerabilities being classified as ‘Extremely Critical’ – Secunia Research’s highest classification level – is that an exploit has not been found at the time of disclosure. Of course, the fact that an exploit is undiscovered does not mean that an exploit will not surface.
In short: serious vulnerabilities are being found in common applications. All the while they are left unpatched, an attacker finding an exploit becomes increasingly likely.
Finally, the report shows that 92.5% of Top 50 applications had a patch available on the day a vulnerability was disclosed. It is possible to close vulnerabilities quickly and efficient, providing that the relevant update is applied.
Unfortunately, that leaves one in ten vulnerabilities in the wild after disclosure. While vendors are clearly working to minimise time-to-patch, there is still work to be done in making important updates available sooner.
And, of course, the availability of a patch does not secure your applications. Putting it into practice remains the task of administrators and IT teams.
In short: software vendors are working to secure their applications. But closing application vulnerabilities isn’t entirely in their hands.
If you want to improve your understanding of the software vulnerability threat, don’t miss the vulnerability review in full.
In it, you’ll find out:
• Why your third-party applications continue to present the biggest risk
• The scale of vulnerabilities in commonplace software including browsers and PDF readers
• The most common attack vectors available to attackers