Software vulnerabilities are getting less serious over time, audit suggests

Local-network attacks continued to climb in 2015 as a proportion of all software vulnerabilities, according to a software-vulnerability audit that also found the number of 'extremely critical' vulnerabilities remained small but climbed significantly year on year.

The figures – compiled annually by Flexera and published in its Vulnerability Review 2016 – come from monitoring and testing of more than 50,000 applications, appliances and operating systems on the systems of users of Flexera Software Personal Software Inspector software.

The overall number of vulnerabilities grew by 2 percent over 2014 and 49 percent on a five-year basis, including 16,081 vulnerabilities in 2484 applications from 263 vendors. Of these, remote-access vulnerabilities were by far the most common – comprising 81.7 percent of all vulnerabilities – but those that compromise local networks grew from 2.2 percent in 2014 to 3.4 percent in 2015.

Vulnerabilities affecting local systems surged over the year, from 6 percent of all vulnerabilities in 2014 to 14.9 percent in 2015. Some 13.3 percent of vulnerabilities were classified as 'highly critical', while the proportion classified as 'extremely critical' grew from 0.3 percent to 0.5 percent of the total.

Interestingly, a time comparison of the distribution of criticality suggested that vulnerabilities were getting less severe overall, with the proportion of 'not critical' and 'less critical' vulnerabilities increasing significantly since 2010; the proportion classified as 'highly critical' decreased notably over the same period.

The vulnerability audit also evaluated the patching status of numerous Web browsers and found that Microsoft Internet Explorer was the most commonly-patched major browser, with just 9 percent of implementations unpatched; Google's Chrome (22 percent), Opera (30 percent) and Mozilla Firefox (39 percent) showed the wide range of patching practices prevalent in the wild.

Time to patch applications was measured in terms of the number of days until a software update was released to remedy a newly discovered vulnerability. Some 84.6 percent of the 50 most-common applications had patches available on the day vulnerabilities were disclosed – representing a slight drop from 86.6 percent the year before.

“Particularly for organizations with a vast array of endpoints to manage (including devices not regularly connected to networks),” the analysis noted, “this means that a variety of mitigating efforts are required to ensure sufficient protection, in support of patch management efforts.”

Such efforts were particularly important for keeping on top of Windows patches, with various Windows versions reflecting 21 percent of all vulnerabilities. The passage of time has seen the number of operating-system vulnerabilities grow strongly: from 33 Windows 7 vulnerabilities in 2014 to 144 in 2015, for example, and from 105 Windows 8 vulnerabilities in 2014 to 466 in 2015.

Some 11.8 percent of end users were still using the end-of-lifed Windows XP as of the end of 2015.

The figures offer new visibility on software-patching capabilities that have long been a weak spot in Australia's overall security profile: a recent country-based Flexera breakdown showed that the average Australian PC user had 79 programs installed from 28 vendors – including insecure and long-deprecated versions of the Java runtime environment, which were still being used by 41 percent of Flexera users.

High Consequence Cyber Crime: The Crime of the Century

Organised criminals : Harness the power of analytics to detect breaches early and minimize their exposure.

Download NOW

Tags 2010software vulnerabilitiesCSO AustraliaGoogle's ChromeSoftware security flawsFlexera subsidiary Secunia

Show Comments