The Most Vulnerable Software in 2016 (and Why Updates Are Fundamental)
Vulnerabilities galore! But remember they’re not all alike
They say that you should look to the past (to learn from it) to know what to expect from the future. This is especially true in the cyber security field, where not only do we have to learn fast, but also practice what we learn even faster.
Today I want to look at the most vulnerable software in 2016, to help you understand what has changed and how these changes impact our online (and sometimes offline) lives.
As we all know by now, 2016 was the most eventful year in cyber security… ever! Considering what challenges lie ahead, we can expect that 2017 will take the crown 12 months from now. However, until then we must proceed step by step.
The reason for this short analysis is to help you identify some of the sources that make your system vulnerable to cyber attacks. Not only that, but I’ve also included protection tips on how to deal with them.
Where the data comes from
In order to do this, I’ve gathered the data below from CVE Details, which is a point of reference for the industry and provides detailed information on software vulnerabilities.
For those who are new to the subject, a brief definition for the term “vulnerability” can be found in our cyber security glossary:
A vulnerability is a hole in computer security that leaves the system open to damages caused by cyber attackers.
Software vulnerabilities are defined by 3 factors:
- The existence of a flaw in the software
- The possibility of the attacker to gain access to the flaw
- The ability of the attacker to exploit that flaw or weakness, through tools or by using certain techniques.
In this quick examination, we will look not only at the number of vulnerabilities, but we will also take a peek at their severity. This qualitative data is provided by the CVSS system:
The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.
Now that the context is set, let’s see what we can learn from last year’s long list of software weaknesses.
The Most Vulnerable Software in 2016
When it comes to publicly disclosed security flaws, the list of top 10 software with most security flaws from 2016 is quite different from the 2015 one, as you can see below:
As you can see, some of the usual suspects remain [cough]Flash Player[cough], some left the top 10 (Mac OS X and iPhone OS), while others made their entry and headed straight for the top (Android).
The number of vulnerabilities alone should not make you want to uninstall this software ASAP. In fact, for many of us, this is not an option (except for Flash – uninstalling Flash is always an option). There is also the impact aspect to it, which we’re going to discuss in the second part of this analysis.
But first, let’s see how things have evolved in the past 3 years for the software that millions use on a daily basis, which directly impacts their security level.
Operating systems with the biggest market share – Windows 7 (48,34%) and Windows 10 (24,36%) – are actually not the ones with the most vulnerabilities in 2016. In fact, Microsoft has put a lot of work into making Windows 10 the most secure Windows to date and, for all intents and purposes, specialists show that this is the case (and could get even better with future updates).
Two Linux versions and two Novell OSs take the top spots, while Mac OS X follows. In spite of the rather sizeable number of vulnerabilities, Mac OS X remains almost impervious to malware attacks (almost being the keyword here – here’s proof).
Operating systems market share in December 2016
If you’re still on Windows XP, we highly recommend you upgrade to a newer operating system if you still use it, because XP is an open invitation to all kinds of cyber attacks, since it doesn’t get security updates anymore.
Mobile & IoT
As mobile devices and the Internet of Things comprise of millions of Internet-connected devices scattered across the world, it’s only natural that we check them out as well. Especially since Android dominates by the number of vulnerabilities.
But here’s the catch: one of the reasons that Android tops the vulnerable software list is because of the effective bug bounty program that Google put in place for it. The program offers hefty rewards to those who can find weaknesses in the most used mobile OS in the world. They also have to provide a proof of concept for the security hole and a patch for it in order to get the full amount of the reward.
As a result, Android has over 500 publicly disclosed vulnerabilities in the CVE Details database:
Unfortunately, the number of vulnerabilities in Android is not the only issue. Many of them were quite severe, allowing cybercriminals to execute malicious code, corrupt the devices’ memory, gain information privileges, cause denial of service or do other types of damage.
And cyber threats targeting Android specifically were abundant as well. From MazarBOT to HummingBad and beyond. With millions and millions of Android-powered devices in use, it’s only natural that cybercriminals would try to turn them into cash cows.
Going beyond Android, it’s important to note that the number of iOS vulnerabilities has dropped considerably.
Also, IoT operating systems are only beginning to grow and get included in vulnerability databases, so we recommend you keep an eye on this category as you get more Internet-connected gadgets at home.
Browser security plays a huge part in your online protection, because it’s the main way that we access the Internet. This is the main reason why you should care if you’re using the latest version (always recommended) or an outdated one.
As you can see below, the most used browsers in the world have had their issues in 2016, and cybercriminals did not hesitate to pounce when the opportunity arose.
By taking a lot at browser usage by version number, we can see that:
- More than half of Chrome users run outdated versions
- 3/4 of Internet Explorer/Microsoft Edge users have older versions installed
- 1/3 of Firefox users don’t use the latest variant of this browser
- And 1/3 of Safari users do the same.
Browser market share in December 2016:
That leaves a market of millions open to attacks that feed malware into computers by exploiting security holes in vulnerable browsers. And many of these attacks take advantage of weaknesses that have already been patched in the latest version. Some vulnerabilities targeted in malicious campaigns can be a few years old!
If you need a quick way to check if your browsers are up to date, just open this link in each browser you have installed: https://www.whatismybrowser.com/.
A key reminder here is to be careful and avoid common tricks online attackers use. Sometimes, they disguise attacks as updates for your browsers. As you can imagine, clicking on the presumed update will infect your computer and may cause both financial damage and data leakage.
Two recent examples include malicious, fake updates for Firefox and Chrome. You’d be surprised how many Internet users get fooled by this. It’s not even because they’re new to the Internet, but rather because they’re not aware of the dangers and get carried away in their haste to get what they need.
In order to avoid such risky situations, you can turn auto-update on when available or automate your updates for free and save some time and hassle in the process.
When it comes to other pieces of software we use in our daily work (or fun), the usual suspects are under scrutiny. Acrobat with all its versions (Acrobat Dc and Acrobat Reader Dc) and Flash Player are the most troublesome in this small chart.
As an alternative to Acrobat Reader, you can use Foxit Reader (which only had 8 vulnerabilities last year). As for Flash, we’ve discussed this issue in a dedicated guide that continues to be relevant to this day. The conclusion here is that life without Flash is not only possible, but better.
Not all vulnerabilities are created equal
As I mentioned when discussing the state of Android vulnerabilities, the number of security holes is not the most relevant indicator by itself. We also need a qualitative perspective, which is given by the CVSS score (defined in the introduction).
Here’s what happens: if a software maker has a good program in place for finding and patching security holes (internally, through a public bug bounty program or both), the number of publicly disclosed vulnerabilities will naturally be higher.
But tens of minor weaknesses can be outweighed by a single, critical vulnerability that can affect users severely. That is why it’s important to not equate amount and quality.
In the table below:
1. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
Source: National Vulnerability Database
As you can see, Adobe and Flash don’t really fare well from this perspective. We’re not building a case against it, but it’s undeniable Flash is a problem for every Internet user out there.
Where is the danger?
A recent malicious campaign we detailed in a security alert shows exactly why vulnerable apps pose a huge risk to their users.
In that alert, we showed how a string of vulnerabilities in Flash Player, Silverlight, Internet Explorer and Edge were used to infect computers with Cerber ransomware, one of the strongest type of encrypting malware, for which there is no decryption key available.
The thing is that those security holes used in the attack had been patched in 2016 and some of them in 2015 (!).
This is exactly why security experts insist on patching and its fundamental role in keeping systems and data safe for everyone involved.
How to avoid risky software vulnerabilities
The solution is super simple here: keep them up to date at all times!
How to get started:
1. Check the list of apps you have installed. Sort by “Installed On” to see software you may have forgotten about.
2. Uninstall what you don’t need and do a major spring cleaning (works in every season, not just during spring).
3. Automate your software updates to save time and energy and remember to always, always install operating systems update as well!
Did you come across any issues with software vulnerabilities last year? Share your stories in the comments below.