2014's vulnerability surge left Mac OS, iOS more exposed than Windows

The rate of new software vulnerabilities jumped dramatically between 2014 and 2013, with 19 new vulnerabilities disclosed every day last year and an upwards trend suggesting things could only get worse this year.

An analysis of the US National Vulnerability Database, the central repository for vulnerability-related reports, found that some 7038 new vulnerabilities were disclosed during 2014 – up from 4794 vulnerabilities in 2013 and 4347 in 2012.

The number of vulnerabilities rated as being of high severity also grew during the year, with the 1705 such vulnerabilities added to the database in 2014 accounting for 24 percent of all vulnerabilities detected during the year.

The analysis was conducted by Cristian Florian, GFI LanGuard product manager with Adelaide-based GFI Software, in an annual exercise that has revealed the disturbing industry trend towards more, not fewer, software vulnerabilities.

Notably, 2014 saw Apple's Mac OS X top the charts with 147 vulnerabilities, including 64 of high severity and 67 of medium severity. Apple's iOS mobile operating system was second most vulnerable, with 127 in total, 32 high severity and 72 medium severity.

The various versions of Microsoft Windows on the market each had around three dozen vulnerabilities, around two dozen of which were of high severity and the remainder medium severity.

“A lot of Windows vulnerabilities apply to multiple Windows versions and because of that there is not a huge difference between the number for the entire Windows operating systems family,” Florian wrote.

The Linux kernel took third place, with 119 vulnerabilities including 24 high-severity and 74 of medium severity. These contributed to what Florian said was “a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems.”

Ranked by the total number of high-severity vulnerabilities, the least secure applications were Microsoft Internet Explorer (220 of 224 total), Google Chrome (86/124), Mozilla FireFox (57/117), Adobe Flash Player (65/76), and Oracle's Java (50/104).

Third party applications were responsible for around 83 percent of all vulnerabilities, with operating systems named in 13 percent of cases and hardware accounting for the remaining 4 percent.

While the products with the most vulnerabilities provide guidance for security managers keen to target their patching and remediation efforts, Florian warned against spending too much time just addressing issues in the products in the report.

“All software products have vulnerabilities,” he wrote, and “the frequency of security updates increases with the product's popularity.... At the end of the day, an IT admin's attention should be on ALL products in his network and not limited to those at the top of the vulnerability list.”

“Neither,” he added, “should the assumption be made that those further down the list are safer. Every software product can be exploited at some point. Patching is the answer and that is the key message.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)