Despite substantial investment, the software industry is still unable to produce software with substantially less vulnerabilities, highlighting the continued need for vulnerability intelligence and patch management, a major security player says.
In its half year security report for 2010, Secunia found that Apple (iTunes, Quicktime) ranks as the vendor with the highest number of software vulnerabilities, followed by Microsoft (Windows, Internet Explorer), and Sun Microsystems (Java, now part of Oracle).
These companies consistently occupied the top ranks during the last five years, with Adobe (Acrobat Reader, Flash) joining the group in 2008.
Niels Henrik Rasmussen, CEO and founder of Secunia, said: “The report shows an alarming development in third-party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored.
“This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring third-party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the third-party programs, representing rewarding and effective targets for criminals.”
Since 2005, no significant up or downward trend in the total number of vulnerabilities in the more than 29,000 products covered by Secunia Vulnerability Intelligence was observed.
A group of 10 vendors, including Microsoft, Apple, Oracle, IBM, Adobe and Cisco, account on average for 38pc of all vulnerabilities disclosed per year.
In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010 to 760.
During the first six months of 2010, 380 vulnerabilities or 89pc of the figures for all of 2009 has already been reached.
A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third-party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.
