15,435 vulnerabilities across 3,870 applications were recorded in 2014 – that’s an 18% increase in vulnerabilities compared to the year before, and a 22% increase in the number of products. The result was published today in the Secunia Vulnerability Review 2015. Secunia is a leading provider of IT security solutions that enable management and control of vulnerability threats. The Secunia Vulnerability Review 2015 analyzes the evolution of software vulnerabilities from a global, industry and endpoint perspective.

Vulnerabilities are a root cause of security issues – an error in software that can work as an entry point for hackers, and can be exploited to gain access to IT systems. In 2014, 15,435 vulnerabilities were discovered according to data from the vulnerability intelligence experts at Secunia Research. The vulnerabilities are spread across 3,870 applications published by 500 different vendors, and these numbers alone demonstrate the challenge faced by IT teams trying to protect their environment against security breaches.

“Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organizations to stay on top of their environment. IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed,” says Kasper Lindgaard, Director of Research and Security at Secunia.

Bundling complicates visibility

Obtaining full visibility to ascertain risk is not simple. In addition to known vulnerabilities in known products in the infrastructure, users have to deal with the opaque area that is bundling: vendors bundle their products with, for example, open source applications and libraries, complicating the customers’ chance of knowing which products are in fact present on their systems.

And, as the several incidents in 2014 of vulnerabilities in open source applications and libraries demonstrate, not all vendors can be relied upon to inform their users when vulnerabilities in open source applications affect their products.

“In fact, as examples in the Secunia Vulnerability Review show, when we look at the number of days lapsed between the times when OpenSSL vulnerabilities were disclosed, until third-party vendors informed of their product being vulnerable, we find that there is no general pattern to response times. Consequently, organizations can not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open source libraries,” says Kasper Lindgaard. 

Patch on Day One or go to Plan B!

For those applications that are known to the security teams, the data for 2014 shows an encouraging trend: Of all the 15,435 vulnerabilities, a full 83% had a security patch available on the day the vulnerability was disclosed to the public. This number represents a continued improvement in time-to-patch, particularly when taking a retrospective view of the last six years and the low of 49.9% recorded in 2009 in all products.

“But numbers also show that while an impressive 83% of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged when we look 30 days ahead. 30 days on, just 84.3% have a patch available which essentially means that if it isn’t patched on the day of disclosure, chances are the vendor isn’t prioritizing the issue. That means you need to move to plan B, and apply alternative fixes to mitigate the risk,” says Kasper Lindgaard.

Key findings from the Secunia Vulnerability Review 2015

Total numbers across all applications

1.     In 2014, a total of 15,435 vulnerabilities were discovered in 3,870 products from 500 vendors.

2.     The number of vulnerabilities shows a 55% increase in the five year trend, and an 18% increase from 2013 to 2014. The number of vulnerable products has increased by 22% from 2013 to 2014.

3.     83% of vulnerabilities in all products had patches available on the day of disclosure in 2014.

4.     25 zero-day vulnerabilities were discovered in total in 2014, compared to 14 the year before.

5.     20 of the 25 zero-day vulnerabilities were discovered in the 25 most popular products – 7 of these in operating systems.

6.     11% of the 15,435 vulnerabilities discovered in 2014 were rated as ‘Highly Critical’, and 0.3% as ‘Extremely Critical’.

7.     In 2014, 1,035 vulnerabilities were discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari. That is a 42% increase from 2013.

8.     In 2014, 45 vulnerabilities were discovered in the 5 most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

The 50 most popular applications on private PCs

9.     1,348 vulnerabilities were discovered in 18 products in the Top 50 most popular applications on private PCs.

10.  77% of vulnerabilities in the 50 most popular applications on private PCs in 2014 affected non-Microsoft applications, by far outnumbering the 2% of vulnerabilities found in the Windows 7 operating system or the 21% of vulnerabilities discovered in Microsoft applications.

11.  The 16 non-Microsoft applications only account for 31% of products but are responsible for 77% of the vulnerabilities discovered in the Top 50.
Microsoft applications (including the Windows 7 operating system) account for 69% of the products in the Top 50, but were only responsible for 23% of the vulnerabilities.

12.  Over a five year period, the share of vulnerabilities in non-Microsoft applications hovers around 78% in the Top 50.

13.  The total number of vulnerabilities in the Top 50 most popular applications was 1,348 in 2014, showing a 42% increase in the 5 year trend. Most of these were rated by Secunia as either 'Highly critical' (64.9%) or 'Extremely critical' (9.7%).

14.  87% of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2014.