Lazy patching ensuring new vulnerability volumes continuing to rise: GFI

The number of reported operating-system and application vulnerabilities continued to rise during 2013 and is unlikely to slow given the continuing deficiencies in corporate patching strategies, according to the local technology head of GFI Software.

GFI, which develops a number of network and content security tools, has built up a database of more than 50,000 application and operating-system vulnerabilities from a range of sources – and saw it grow by 4794 vulnerabilities, or 13 new vulnerabilities on average, per day over the past year.

Around one-third of the new vulnerabilities were classified as 'high severity', indicating that if it were exploited the hackers could cause considerable damage to the victims' computers.

Despite this threat, APAC technology manager Kris Hansen – who is based in the global company's Australian headquarters in Adelaide – told CSO Australia that “third-party apps are the biggest flaw” and that – while Microsoft has become relatively more secure because it has been able to quickly remediate vulnerabilities through regular automatic updates – a significant portion of customers in Australia and elsewhere are still skipping many recommended security updates for third-party applications.

“Microsoft are locking down their operating system a bit better, but it's amazing how many computers we go out and find a Java Runtime Environment [JRE] that's three years old,” he said, although the GFI analysis did note that Microsoft still had the largest number of 'high severity' vulnerabilities.

Many of those continued to persist despite the availability of fixes, Hansen said.

“The issue is the scale of actually checking on the third-party patches,” he explained. “Admins I talk with get that this is where the real targets are, but when they have 2000 computers on the network it's just not practical.”

Oracle was by far the most vulnerable vendor, with a surge in high-impact vulnerabilities from 76 in 2012 to 131 last year and a jump in the total number of vulnerabilities from 424 in 2012 to 514 in 2013. Java accounted for 193 of these vulnerabilities, over 100 of which were classified as 'critical'.

Applications accounted for 75 per cent of reported vulnerabilities in 2013 while operating systems made up just 19 per cent of vulnerabilities. This was a change from the previous year, where operating system weaknesses accounted for just 10 per cent of vulnerabilities.

Of the operating systems analysed, the Linux kernel had the largest number of vulnerabilities, with 158 flaws reported – although just 15 of these (9 per cent) were classified as 'high severity'. Microsoft Windows Server 2008, by contrast, ranked second with 104 vulnerabilities during 2013 – but 58 of these (56 per cent) were 'high severity'.

Microsoft Windows XP, which is over a decade old, still saw 88 new vulnerabilities discovered during 2013, including 47 high-severity weaknesses. That was double the 42 new vulnerabilities reported in 2012, reflecting an apparent growing interest on hackers' part as the platform enters its final weeks of official Microsoft support.

The discontinuation of security updates for Windows XP has increasingly been fingered as representing a significant security threat to all kinds of businesses, with point-of-sale devices and ATMs among the biggest potential concerns.

Oracle's Java (193 vulnerabilities), Google Chrome (168), Microsoft Internet Explorer (128) and Adobe Acrobat (63) all saw a jump in the number of vulnerabilities during 2013 while Mozilla Firefox (149), Mozilla Thunderbird (113), Mozilla SeaMonkey (104), Mozilla Firefox ESR (100), Mozilla Thunderbird ESR (87), Adobe Flash Player (56) and Adobe Air (48) all saw a decline in the number of new vulnerabilities.

The sheer diversity of solutions was a major contributor to the continued incidence of new vulnerabilities, Hansen said. “If we have different pieces of software talking to each other, if those pieces of software need to talk to each other through a common infrastructure, someone is going to exploit that infrastructure.”

“We're always going to have the problem,” he continued. “While you allow environments to be diverse and to communicate with third parties, it's always going to be this game of trying to stay ahead.”

Copyright © 2014 IDG Communications, Inc.

What is security's role in digital transformation?