Among 20 products found to have the most vulnerabilities in recent months, there were seven publicly disclosed zero-days that impacted end users and enterprises, security firm Secunia found. And the early figure points to another year over year increase in the number of known zero-day threats.
On Wednesday, Secunia released its quarterly “Vulnerability Update” report (PDF), noting that it defined a zero-day vulnerability as a “vulnerability that is actively exploited by hackers before it is publicly known.”
“It can be either patched or unpatched on the day it is disclosed to the public – the requirement is that it needs to have been exploited in the wild before disclosure,” the report explained. The firm also noted that its findings were based specifically on 20 products, designated as having the most vulnerabilities between February and April 2015.
Secunia determined the "Top 20" products by analyzing vulnerabilities found in more than 50,000 products verified by Secunia Research and recorded in the Secunia Vulnerability Database, the report said. Among the Top 20, Secunia found 1,691 new vulnerabilities in the three month period.
Noting that the seven disclosed zero-days in the first four months of 2015 were all in Adobe Flash Player (4 zero-days) and Microsoft Windows (3 zero-days), Secunia found that the numbers supported its "prediction that [it] would see a continuation of the 2014 trend, where the number of zero-days increased quite dramatically.”
In its annual vulnerability report, released in March, Secunia found that, altogether, 25 zero-day vulnerabilities were identified in 2014, up from 14 reported the previous year. Furthermore, 20 of the zero-day bugs last year were discovered in the 25 most popular products, including Flash Player.
The firm's recent report stated that, although the persistently high number of zero-days was concerning, it might also be worrying if the market saw a “dramatic drop in zero-days” from the final quarter of 2014 to the start of this year.
“This could be a sign that the industry is failing to discover a lot of zero-days out there," the report continued. "And it goes without saying: the only thing worse than a zero-day you know, is a zero-day you haven't met yet!”