Posted by: Ken Harthun
Patch management, Secunia PSI, Software for Secure Computing, Vulnerabilities
Secunia, the firm who provides the Personal Software Inspector (PSI) that detects vulnerable and out-dated programs and plug-ins, has just released their first Secunia Half Year Report. In the report, Secunia looks at the last five years in terms of vulnerabilities, the threat posed by them and the outlook for 2010 based on the data acquired during the first six months of this year. The news is not good:
The overall conclusion is that despite considerable security investments, the software industry at large still proves unable to produce software with substantially less vulnerabilities, highlighting the continued need for Vulnerability Intelligence and Patch Management.
Further, the report shows an alarming development in 3rd party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals.
What’s interesting is that since 2005 in more than 29,000 products covered by Secunia’s intelligence, no significant up- or downward trend in the number of vulnerabilities could be discerned. But that just means that software is still just as insecure as it was five years ago; no progress is being made. Not surprising, ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco account for an average of 38 percent of all vulnerabilities disclosed on a yearly basis. Further highlights:
- In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760.
- During the first six months of 2010, 380 vulnerabilities or 89% of the figures for all of 2009 has already been reached.
- A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.
Secunia is testing its own Auto Update technology that will work with a broad variety of programs from a number of different vendors. They plan to release a version later this year with the intention to significantly improve the security of home users’ PCs.
Kudos to them, I say; it’s just a shame that the vendors themselves don’t take a more proactive role. That’s what absolutely must happen if we’re ever to get ahead of the curve.