Security requires a holistic, multi-layered approach because attackers can gain access to valuable information and systems in a variety of ways. One of the most common entry points is through application vulnerabilities. In this case, a vulnerability is a hole or weaknesses in the application, either a design flaw or an implementation bug, which allows an attacker to use the application for harm. “Harm” is a pretty vague term because there are many things that can be done with application vulnerabilities ranging from simply crashing an application to causing errors to stealing data.
Secunia, a company that makes software vulnerability management tools, releases a study every year about application vulnerability. The most recent study is the Secunia Vulnerability Review 2015 that presents global data on the prevalence of vulnerabilities and the availability of patches. The report maps the security threats to IT infrastructures so organizations can address their vulnerabilities before they’re exploited. The report also explores vulnerabilities in the fifty most popular PC applications.
The annual vulnerability review looks at the number of vulnerabilities in an application and the time it took the vendor to patch that application once the vulnerability was disclosed. It also looks explicitly at browser and PDF security issues, and then wraps up with a discussion of open source vulnerabilities. The big picture is that in 2014, 2,870 vulnerable products from 500 vendors were found to have a total of 15,435 vulnerabilities. That represents a 55% increase in vulnerabilities in the five year trend and an 18% increase from 2013 to 2014.
Secunia Vulnerability Update May to July 2015
The full report drew on data from 2014, so Secunia issues updates every quarter. The Vulnerability Update for May 2015 to July 2015 hit the wire on September 9, 2015 so here’s a fresh look at it.
The Avant browser wins the dubious distinction of being the product with the most vulnerabilities during May to July 2015. Its 206 vulnerabilities put it way ahead of all other products in the Top 20 lists for this time period; IBM Flex System Manager Node is second with 140 and Apple Macintosh OS X is third with 91. Avant Browser is a freeware web browser written by a Chinese programmer that includes the three major rendering engines from Internet Explorer, Mozilla Firefox, and Google Chrome. It apparently also includes all the vulnerabilities from those three rendering engines which gives it the largest attack surface of all browsers. Avant also releases patches infrequently – quarterly versus the almost weekly patches provided by the IE, Firefox and Chrome.
In July 2015, Zimperium, a mobile security company, called attention to vulnerabilities in Stagefright, a native Android media player that affects nearly all Android devices in the world. The Stagefright vulnerabilities are very serious. Researchers showed how an attacker could exploit them to remotely control and steal data from certain Android devices by sending the victim a carefully crafted multimedia message (MMS) with the right attachment.
Google acted quickly to patch Android, but this called to light another problem in Android security, that Google has no control over patch status on the majority of Android devices in the world. Carriers and device manufacturers are responsible for pushing patches to end-users. Contrast this with a company like Apple that can push patches and updates directly to all devices running iOS. The fragmentation in the Android community may not be a good thing when it comes to security.
As a direct result of Stagefright, Google and some of the Android device vendors have increased their focus on security. Google, Samsung, and LG have made a commitment to send out monthly security patches. Motorola, HTC, AT&T, and Sony have pledged to act more proactively regarding security updates. As an article in The Register pointed out, “These updates have been sent out to manufacturers for years, but now end users will get them too, and they will continue for at least three years after the launch of any new handset.” I’ve said for many years that researchers exposing vulnerabilities is a good thing because it forces vendors to respond.
To cap off the report, Secunia points out that between January 1st and July 31st 2015 they recorded 9,225 vulnerabilities in 1,993 products. This is roughly equivalent to stats from 2014.
What’s it all Mean?
That’s a lot of vulnerabilities and a lot of vulnerable products. My take on this is that security is a full time job. You’ve got to stay current on vulnerability and exploit news, particularly when they affect the software and hardware you’re running. Patches need to be tested and applied in a timely fashion. Protections need to be in place to lock down custom applications, off-the-shelf software, hardware, middleware, firmware – and everything in between. Nothing is impregnable so rely on an overlapping defense-in-depth strategy. And always train users so they can learn safe-computing practices.
Matthew David Sarrel has been practicing and writing about network and information security for over 20 years. He is Executive Director of Sarrel Group, an editorial services/content marketing, product test lab, and information technology consulting company. He is a Contributing Editor for PCMag.com, Triple-G Editor for Backayard Magazine, and contributor to Infoworld, Programmable Web, and numerous other sites and publications. Previously, he was a technical director for PC Magazine Labs. Prior to joining PC Magazine, he served as VP of Engineering and IT Manager at two Internet startups. Earlier, he spent almost 10 years providing IT solutions in HIV-and-TB-related medical research settings at the New Jersey Medical School. Mr. Sarrel has a BA (History) from Cornell University, an MPH (Epidemiology) from Columbia University, and is also a Certified Information Systems Security Professional (CISSP).
Mr. Sarrel has written for and spoken to numerous international audiences about information technology and information security. He participated as an expert in two Federal Trade Commission workshops, one about spam in 2003 and one about spyware in 2004.
Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.