Don't forget non-mainstream platforms in patching regime, Secunia warns

Some 2211 new software vulnerabilities were discovered over the past three months alone, the latest quarterly audit by security solutions provider Secunia has found.

IBM was named as the vendor with the most vulnerable products over the past 3 months, with the Avant Browser named as the single most exposed product with 206 vulnerabilities attributed to its combination of both Chrome and Firefox rendering engines – and their attendant vulnerabilities.

CSOs needed to be careful to evaluate risk across all of their technology platforms, Secunia advised, and needed to ensure they patched even less-mainstream operating systems and applications as well as the Windows and Linux server platforms – previously flagged by security firm Trustwave as having the “[[xref:http://www.cso.com.au/article/453728/trustwave_linux_platforms_worst_response_time_patching/ |worst response time]]” for patching – that get most mainstream attention.

“Rather than keeping an eye on the news stories about vulnerabilities as they pop up,” the report warns, “you are much better off simply realizing that all software, hardware, middleware and firmware is potentially and probably vulnerable and that the product name doesn’t guarantee much – certainly not impregnable code.”

Google's Chrome browser topped May's [[xref:http://secunia.com/resources/reports/vulnerability-update/ |Secunia Vulnerability Update]] leaderboard with 54 vulnerabilities, but was pushed out of the top 20 in June as a host of tools from pfSense, AlienVault, IBM and Microsoft climbed ahead of it. The Avant Browser trumped them all in July, with its 206 vulnerabilities putting blue sky between it and IBM Flex System Manager Node (140 vulnerabilities), Apple's Mac OS X (91 vulnerabilities), Oracle Solaris 11 (50 vulnerabilities), Microosft Windows Server 2012 (49 vulnerabilities) and other platforms.

Earlier this year, the 2015 Worldwide Network Barometer published by integration giant Dimension Data found that 48 percent of Australia's network equipment is so old that it's no longer eligible to receive security patches; despite this, many Australian companies were [[xref:http://www.cso.com.au/article/576505/priority-based-patching-extending-lifespan-outdated-equipment-dimension-data/ |responding reactively]] by only upgrading equipment on a case-by-case basis.

Most businesses [[xref:http://www.cso.com.au/article/562159/report-most-companies-fail-keeping-track-patches-sensitive-data/ |lack formal systems]] for tracking sensitive data or managing patch management, according to a recent Trustwave report. To make the situation even harder, Secunia's surveys have seen wide variations in the list of most-vulnerable products over time, highlighting what Secunia director of research and security Kasper Lindgaard said was a reminder for IT-security staff that patching regimes needed to extend across the entire IT infrastructure.

“You shouldn't assume that, by patching the 10 high-profile software names that spring to mind when you think about what is in your infrastructure, you are all set and secure,” Lindgaard said in a statement.

“Keeping track of what makes your environment vulnerable is an ongoing and complex task that requires a combination of vulnerability intelligence and visibility of applications, devices and business critical data in your systems.”

Read more: Cybersecurity careers suffering brand-recognition problems amongst young Australians

Other recent Secunia research found that Australian PC users were [[xref:http://www.cso.com.au/article/580892/australian-pc-users-worse-patching-windows-than-new-zealanders-both-lead-us-secunia/ |worse at keeping their Windows PCs up to date]] than New Zealanders, but still well ahead of their US counterparts.

Recognising that patching has become an unwieldy challenge in increasingly fragmented IT ecosystems – and that attackers are [[xref:http://www.cso.com.au/article/570934/new-attacks-suggest-leeway-patching-flash-player-shrinking/ |rapidly taking advantage]] of windows of opportunity around unpatched bugs – vendors have recently stepped up their efforts to facilitate the process for their corporate clients. Microsoft, significantly, has made the application of [[xref:http://www.cso.com.au/article/574506/windows-10-will-kill-off-patch-tuesday-microsoft-pushes-constant-stream-updates/ |patches in Windows 10]] both [[xref:http://www.cso.com.au/blog/cso-bloggers/2015/08/04/patching-fast-or-testing-vastly/ |transparent and automatic]], while makers of Android-based devices have recently [[xref:http://www.cso.com.au/article/581328/android-device-makers-release-monthly-security-fixes/ |stepped up their efforts]] in applying Android security patches.


Blast from the past?

Read more: Security Watch: Verizon 2015 Data Breach Investigations Report – sophistication and old techniques come together

Try our new Space Invaders inspired video game NOW.

What score can you get ?


Tags dimension datasecuniasecurity patchessoftware vulnerabilitiesIT-securityVulnerability Updatenon-mainstream platformAustralian PC usersKasper LindgaardGoogle's ChromeIBM Flex System Manager NodeApple's Mac OS X

Show Comments