IT administrators had their work cut out in 2014, with security firm Secunia claiming 15,435 new vulnerabilities were discovered in 3,870 products from 500 vendors during the period.
That’s an 18% increase on 2013 and a whopping 55% up on the same stat five years ago, according to the Secunia Vulnerability Review 2015.
What makes matters worse for time-poor IT admins is that 77% of the new vulnerabilities found last year affecting the ‘top 50’ most popular applications were non-Microsoft software. This means each vendor's products might have a different update mechanism for patches.
On the plus side, Secunia found that 83% of all vulnerabilities had a patch available for them on the first day of disclosure, up from 78.5% in 2013. However, the figure only rises to 84.3% after 30 days, indicating that if it’s not available from day one, vendors will usually not prioritize software fixes.
On the open source side of things, Secunia warned that “response times are random” when it comes to major global software vendors patching big name vulnerabilities such as Heartbleed and Shellshock.
It explained:
“If we can deduct anything from the data, it is that organizations should not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open source libraries.”
The spike in the number of vulnerabilities disclosed last year isn’t necessarily the result of an increase in malicious behavior, according to Secunia director of research and security, Kasper Lindgaard.
“I believe that it is primarily due to the industry becoming more aware – it’s a combination of the vendors and the security researchers, who between them discover more vulnerabilities.
However, this doesn’t explain the near 80% jump in the number of zero days discovered.
“Zero-days are certainly a popular tool in APTs and targeted attacks because they enable the attacker to go about his business under the radar – and we have seen a lot of both in 2014,” said Lindgaard.
“We also know that governments are utilizing zero-days in government-sponsored attacks. Furthermore, some of the groups involved in digital crime are also finding and exploiting zero-day vulnerabilities in order to achieve their goals.”
He predicted 2015 would see the discovery of at least the same volume of zero-days.
If that is not the case, then what we should really ask ourselves is: how many vulnerabilities are being exploited in the wild that we don’t know of?” Lindgaard added.
There were 45% more vulnerabilities discovered in Microsoft applications in 2014 compared with the previous year, although the volume of Windows flaws dropped.
Google Chrome came top of the ‘20 core products’ with the most vulnerabilities, with a whopping 504 discovered last year – ahead of Solaris (483), Gentoo Linux (350) and Internet Explorer (289).
However, this is not a direct reflection on how secure or insecure Chrome is, said Lindgaard.
“It is a reflection on how aware Google as a vendor is, regarding the security of Google Chrome,” he argued.
“A large part of vulnerabilities recorded in Google Chrome are discovered, fixed, and disclosed by Google themselves – they put in a lot of resources into identifying the vulnerabilities before hackers do.”