Page 54 - index
P. 54
Sure - zero-days increased. But so did just about all other
vulnerability stats. 2014 was a busy year, as Secunia report
shows.
By Kasper Lindgaard, Secunia Director of Research and Security
Data just published in the Secunia Vulnerability Review 2015 gives some perspective to the
challenges IT security teams face when it comes to managing vulnerabilities in their
environment:
For one thing, the number of zero-day vulnerabilities took a big leap in 2014. But the
spectacular zero-day vulnerabilities are of course just the tip of the iceberg – the day-to-day
trials for IT teams are conditioned by the 18% increase in vulnerabilities from 2013. In fact: In
2014, Secunia recorded 15,435 vulnerabilities, distributed across no less than 3,870 products
from 500 different vendors.
Naturally, not all 15,435 vulnerabilities deserve the same attention as, for example, a zero-day
in Adobe Flash. Depending on a combination of criticality ratings, market shares and how the
individual end user – private or corporate – is using the vulnerable product in their infrastructure,
some vulnerabilities are a bigger threat than others!
The good news in the report is that out of all the 15,435 vulnerabilities, as many as 83% actually
had a security patch available on the day the vulnerability was disclosed. However, 30 days
after the day of disclosure, that number is only up to 84.3% of vulnerabilities, indicating that if a
patch is not available on the first day, the vendor does not prioritize patching the vulnerability.
Bundling open source applications and libraries
As the several incidents in 2014 of vulnerabilities in open source applications and libraries
demonstrate, not all vendors can be relied upon to inform their users when vulnerabilities in
open source applications affect their products.
In fact, as examples in the Secunia Vulnerability Review show, when we look at the number of
days lapsed between the times when OpenSSL vulnerabilities were disclosed until third-party
vendors informed of their product being vulnerable, we find that there is no general pattern to
response times. Consequently, organizations can not presume to be able to predict which
vendors are dependable and quick to react when vulnerabilities are discovered in products
bundled with open source libraries.
Obtaining full visibility to ascertain risk is not simple, and in addition to known vulnerabilities in
known products in the infrastructure, users have to deal with vendors bundling their products
with open source applications and libraries, complicating the customers’ chance of knowing
which products are in fact present on their systems.
54 Cyber Warnings E-Magazine – March 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
