Heimdal Security just completed a widespread intelligence analysis of system software vulnerabilities. Our data clearly shows that the problem of software vulnerabilities is actually growing and you may think that companies already got better at closing security gaps faster.


The Bad News



The main problem here is that time periods between patches don’t follow and fix the great amount of vulnerabilities that continue to appear.

Some vendors are improving though.

Security holes in software is arguably one of the most used attack vector malicious hackers employ in a modern IT environment, with exploits accounting for 60 – 90% of the attack , depending on which data you look at.

This is precisely one of the reasons why you would think that software companies should be very quick at closing their security gaps, but the actual situation indicates quite the opposite.

If we take a quick look at the most vulnerable 3rd party software in the market, the list narrows in on some of the most used software components in the world.


The Numbers Speak for Themselves



The top 4 pieces of most commonly used vulnerable 3rd party software in 2012 / 2013 / 2014 are:

  1. Oracle Java Runtime environment
  2. Adobe Acrobat Reader
  3. Adobe Flash Player / Plugin
  4. Apple Quicktime

Of these 4, Adobe Flash Player accounts for 314 registered vulnerabilities alone in 2015. That comes to 26 vulnerabilities PER MONTH! The next piece of software on the list is Acrobat Reader with 130 vulnerabilities or 10,8 per month, still quite high, but not as extreme.

Placing them in a table, the 4 appear as below for 2012 / 2013 / 2014 / 2015 respectively:

most vulnerable software per year

top software vulnerabilities per month

Source: www.cvedetails.com

If you look closely at the numbers, it is highly concerning that Java has an average of roughly 9 new vulnerabilities discovered every month. That is an extreme number. Looking at Adobe’s products, that number is significantly lower but still very alarming, ranging from 3 vulnerabilities on average in Acrobat Reader to 4 in Adobe Flash Player.

The only decent performer in the field is Apple with their Quicktime software, which has approximately 1,2 vulnerabilities per month and that number appears to be decreasing, while the others show no general improving trend.

On its own it might not be a concern that the numbers of vulnerabilities are high, but for Java for example, the number of vulnerabilities are actually higher than on some Windows operating systems.

Not only that the severity of the vulnerabilities above are extreme as well.

The average severity of each of the vulnerabilities on these products is listed below with a CVSS (Computer vulnerability severity system) score, where 7-10 means a HIGH number!

cvss scores for most vulnerable software 2015

Source: www.cvedetails.com

When showing the data on a visual graph, you have an indication that all 4 products are clearly at or above the limit of critical vulnerabilities number on average.

average cvss score for most vulnerable apps

So not only is the number of vulnerabilities highly alarming, but it also represents an important attack vector which poses a severe security risk for our computer systems. That becomes relevant because a very commonly used attack vector on our systems today is by linking to URLs which point to malicious content that can exploit known software vulnerabilities.

In fact, another recent study performed by Heimdal and one of its partners showed that 27% of all delivered emails contain malicious URLs, which try to access your PC by using malicious code or exploits.

Naturally, all this concern about exploits only becomes relevant if these 4 pieces of 3rd party software we cover in this article are actually being used, so we also looked into that as well. The data stacks up as below and we took the liberty of combining it with the severity score.

top vulnerable software prevalence
Source: Heimdal Security

If we place the data on a visual graph, we notice a clear market evolution for Adobe Acrobat Reader and the high average usage of the Oracle Java.

software usage on windows business systems

Source: Heimdal Security

All this data is more than scary. Intelligence shows that usage of Java, Acrobat Reader and Adobe Flash Player is very common on business computers and has been for a while. The good news is that Flash usage has dropped significantly, mainly because HTML 5 replaced the need for having it installed, but also because Flash was a preferred attack vector in 2015. Meanwhile, the widespread usage of software is most likely linked to the fact that we consume more and more data on the computer, and that we access a broader variety of software to do so.

Most likely, your private computer system is not much different from a standard business computer, therefore consumers, as well as companies, should be very aware there is a crucial risk here.


Corporate Security Risks are High



We now know 4 key facts which should have your full attention, since they put you or your corporate data at risk:

  1. The top 4 pieces of vulnerable 3rd party software is and has always been vulnerable to attacks
  2. Vulnerabilities are severe and there is a high number of them!
  3. Most computer systems actually use a minimum of 3 top vulnerable software presented here
  4. Cyber criminals commonly exploit and develop attack vectors for these vulnerabilities

Knowing all this, you may think that manufacturers keep us safe by quickly fixing these problems for their users and customers. Well, our analysis indicates that is not the case.

patch frequency for most vulnerable software

Source: www.heimdalsecurity.com

Take a look below at the graphic which illustrates the data:

patch frequency visualized

Despite the fact that vulnerabilities are of a severe nature (close to wide open) and the fact that in Oracle and Adobe’s cases there are plenty of vulnerabilities to choose from, the time between patches is quite frightening, even though it has dropped in 2015. On average, a patch for Adobe Flash is released every 2 months and for Apple Quicktime at every 6 months.

Vulnerabilities in Adobe Acrobat Reader are patched significantly faster averaging every month, while Oracle Java managed to reach the same patching pace. But imagine what a cyber attacker could have done in 6 months, while Apple patched Quicktime! Moreover, Apple even discontinued support for Quicktime on Windows in April 2016.

With that in mind, we took the liberty of calculating the average amount of vulnerabilities discovered before a patch is released. Bearing in mind that vulnerabilities may be discovered in blocks and not 1 by 1 – that might skew the data a little. We combined this with the % of systems they are installed on, just to give you an idea of the extent of the problem.

number of vulnerabilities between patches

We tried to illustrate the data analyzed, so that you may have an easy overview of the problem, which got out of hand in 2015:

vulnerabilities between patches visualized

So why are vulnerabilities a big problem for software manufacturers to deal with?

Well, naturally, software manufacturers want to offer more and more features to their users and keep their software cutting edge. By adding new features they create new backdoors and loopholes for attackers to use and exploit, creating more opportunities for cyber criminals that try to obtain your data.


So what can you do to protect yourself or your company?


  • Make sure your 3rd party software is as up to date as possible, at all times. You can use an external tool to keep your software patched for you.
  • Protect yourself using a Traffic checking service, such as Heimdal Pro/Corp, because most exploit attacks have a vector originating from the Internet. Corporations should potentially add a Bluecoat, CSIS Secure DNS, Palo Alto or Fireeye solution for an extra layer of centralized scanning.
  • Use a corporate spam filter to remove phishing or exploits focused on malicious emails. This way, you have 2 layers of protection against malicious URLs, which may be heading for your computer. Consumers can use a client based filter and businesses can used a centralized solution.

*This article was first published in August 2014, and updated in May 2016.

Comments

[…] malicious code embedded into the website (usually an exploit kit) starts scanning your computer for security vulnerabilities. Just so you know, the security holes on your PC are usually created by outdated apps of all kinds, […]

[…] commonly found in 99% of computers and thus, the hit rate of finding a software to exploit is high. We have recently covered the risks in these types of software, even though they are fully […]

[…] Cyber criminals are having a “field day” with software vulnerabilities – We’ve been warning about software vulnerabilities for a very long time. Here’s […]

[…] software vulnerabilities occur when we miss to install the latest security updates and patches. It may be your operating […]

[…] leaking each month, this explosion can only by connected to the high number of data breaches that occurred in […]

[…] have already pointed out in a series of articles the main issues created by software vulnerabilities and what you can do to stay safe from […]

[…] of users respond positive to these questions and most online attacks take place by using vulnerabilities unpatched from these software […]

[…] more details, we invite you to read the entire article.  It is still a relevant piece of information for our […]

[…] browser (or application) vendors which are late in discovering and patching security vulnerabilities. We have already covered this issue regarding the applications’ slow patching process in this article. […]

[…] of software vulnerabilities present in popular programs and applications, as it is revealed by this article, is a popular method used by online […]

[…] security analysts released an intelligence analysis of software vulnerabilities that indicates a growing problem for the IT […]

[…] new security threat caused by software vulnerabilities confirmed our established perspective, where we tried to warn all those affected by these security exploits. For us, this new issue is […]

[…] The release frequency of critical security patches is far too low to cope with the massive and severe vulnerabilities in popular 3rd party software, such as Oracle Java, Adobe Acrobat Reader, Adobe Flash Player and Apple Quicktime.  […]

[…] it becomes obvious that 2013 was an extreme outlier, showing soaring public vulnerability numbers, in particular for Java, which reached a stunning total of […]

[…] it becomes obvious that 2013 was an extreme outlier, showing soaring public vulnerability numbers,in particular for Java, which reached a stunning total of […]

[…] it becomes obvious that 2013 was an extreme outlier, showing soaring public vulnerability numbers,in particular for Java, which reached a stunning total of […]

[…] The release frequency of critical security patches is far too low to cope with the massive and severe vulnerabilities in popular 3rd party software, such as Oracle Java, Adobe Acrobat Reader, Adobe Flash Player and Apple Quicktime.  […]

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP