With all the media attention and dramatic headlines vulnerabilities in Flash, Java and Internet Explorer get, it is easy to assume that those applications are where all the vulnerability action is. No smoke without a fire, and all that.
And you would be right in surmising that new vulnerabilities are discovered in the mainstream applications very often. It is also correct that, proportionately, many of the vulnerabilities discovered in those applications are rated in the serious end of the criticality scales.
What's missing from the picture more often than not are all the products out there that aren't household names. They have just as many vulnerabilities, but you rarely hear about them, and only if you go looking for the information.
Data just published in the Secunia Vulnerability Review 2015 gives some perspective to what goes on outside of the limelight: In 2014, we recorded 15,435 vulnerabilities, distributed across no less than 3,870 products from 500 different vendors.
Of course, not all 15,435 vulnerabilities deserve the same attention as a zero-day in Adobe Flash. Depending on a combination of criticality ratings, market shares and how the individual end-user – private or corporate – is using the vulnerable product in their infrastructure, some vulnerabilities are a bigger threat than others.
..some products may be in our environment without us realizing it.
The problem with media attention for software vulnerabilities is not that a handful of big names get most of the air time, because they are in use on both private PCs and in corporate infrastructures. This is a good thing as it helps raise awareness around vulnerabilities, mitigation and security in general. It also keeps the right folks on their toes: vendors to issue security patches, and corporate IT teams to patch and mitigate.
The trouble is the other 3,865 products. Or rather the danger of allowing yourself to think that, if you can check the box next to Java, Flash, Internet Explorer and Google Chrome, you're just about there. You're not, because the other 3,865 products are vulnerable too, even if they didn't make the news.
When we look at just the Top 20 products with the most vulnerabilities in 2014, the list certainly includes household names. But the Top 20 also includes software such as VMware vSphere Update Manager and several IBM products, products that pervade corporate infrastructures but not our private digital spheres. IBM products dominate with a total of eight products out of the 20.
This is largely due to the fact that IBM likes to bundle its products with third-party software and often with vulnerable libraries, such as Java and OpenSSL, which brings us to one of the major lessons we learned from 2014: The consequences to security caused by vendors bundling their software with open source libraries caught the IT community unprepared.
With the Heartbleed vulnerability, and the three subsequent security releases in the open source library OpenSSL, the IT community realized that all the shared code complicates security tenfold because we do not have sufficient insights into which applications are part of the package when we introduce new products into our environment.
The reality is that some vulnerable products may be in our environment without us realizing it because they came in bundled with something completely different. The solution to this problem is not simple: To be on the safe side, organizations need to investigate and map the third-party applications bundled with the products they use in their environment and ensure that they stay apprised of any vulnerabilities that affect them.
Kasper Lindgaard is director of research and security at Secunia.