Report: More than 15,000 vulnerabilities in nearly 4,000 applications reported in 2014
Of the vulnerabilities in all products in 2014, 11 percent were deemed “highly critical” and 0.3 percent were considered “extremely critical.”
According to research from Secunia, 15,435 vulnerabilities in nearly 3,870 applications were reported in 2014, marking an 18 percent increase in the number of vulnerabilities identified in 2013 and a 22 percent jump in the number of applications.
Kasper Lindgaard, director of research and security at Secunia, told SCMagazine.com in a Friday email correspondence that he believes the rise in reported bugs is attributed to an increased focus on vulnerabilities from researchers and vendors.
“The vulnerability space has been, and is, growing,” Lindgaard said. "There is more attention and more money involved for all stakeholders, and that is what we are seeing in these numbers."
Of the vulnerabilities in all products in 2014, 11 percent were deemed “highly critical” – down from 16.2 percent in 2013 – and 0.3 percent were considered “extremely critical,” which Lindgaard explained is only applied to zero-day bugs.
Altogether, 25 zero-day vulnerabilities were identified in 2014, an increase over the 14 that were reported in 2013. Furthermore, 20 of the zero-day bugs were discovered in the 25 most popular products, such as Adobe Flash Player.
As far as updating is concerned, 83.1 percent of all vulnerabilities had a patch available on the day the bug was disclosed – marking an increase over the 78.5 percent that had a patch immediately available in 2013.
“83 percent is a good number and represents a continued improvement in time-to-patch,” Lindgaard said. "In 2009, only 49.9 percent of vulnerabilities in all products had a patch available on the day of disclosure. It is a big problem that on Day 30 after disclosure, 16 percent still are not patched.”
When it comes to attack vectors, 60.2 percent of vulnerabilities in all products were triggered remotely – a decline from 73 percent in 2013, the report found. The local network vector increased to 33.4 percent in 2014 from 20 percent in 2013, and the local system vector remained stable at 6.4 percent in 2014 from seven percent in 2013.
Lindgaard said the drop in the remote attack vector and rise in the local network vector could be related to the large number of open source bugs disclosed in 2014.
“The common denominator for the products affected by the open source vulnerabilities was that they are primarily found in corporate environments (as opposed to private PCs), in applications that could not be reached from outside the system, but rather could only be accessed through local networks,” Lindgaard told SCMagazine.com.
Other findings include: 1,035 vulnerabilities identified in the five most popular browsers – Chrome, Firefox, Internet Explorer, Opera and Safari – marking a 42 percent increase from 2013. Additionally, 45 vulnerabilities were identified in the five most popular PDF readers – Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.
To manage an increasing number of vulnerabilities being reported each year, Lindgaard said that organizations need complete visibility of applications in use, verified vulnerability intelligence from a trusted source, firm policies and procedures in place to prioritize mitigation, and the right tools to deploy patches and workarounds.
“I hope that the takeaway for readers is a deep-rooted awareness that all applications are potentially vulnerable, and with more than 15,000 vulnerabilities recorded in close to 4,000 vulnerable products in one year, vulnerability management is not a task that can be done manually,” Lindgaard said.