Each year, we like to look back on the previous year and learn what we can from all the patches, updates, and incidents that were experienced. After all, those who cannot learn from history are doomed to repeat it. And 2015 was quite the year with an average of 25 vulnerabilities per day (six a day more than 2014), according to the data from the National Vulnerability Database (NVD).
The idea here is not to poke at any vendor for their vulnerabilities, but rather to ensure we are aware of what was out there and to be sure we’ve all got ourselves current and up to date. All software is written by humans, and exploited by humans, and until the former changes the latter never will. As long as a vendor releases an update for a vulnerability before it is exploited (and the update doesn’t break anything else, which can be a mighty big IF) then the number of vulnerabilities is less about quality and more about complexity. But, with that said, it’s important to know what was out there and to be sure you have updated everything as you should. So let’s take a look at the most vulnerable players of 2015.
Before we break out the details, let’s talk about where this information comes from. The National Vulnerability Database, maintained by the National Institute of Standards and Technology (NIST), includes details on each CVE that has been issued. The Common Vulnerabilities and Exposures assigns a specific number to any reported vulnerability, and tracks its status, as a way to standardize on information security reporting and to provide both vulnerability scanners and update systems with a common way to reference each vulnerability.
We also used the great query capabilities at the CVE Details website, http://www.cvedetails.com, to parse the CVE data and get aggregate numbers where relevant.
Using this data, we found that the top three companies for total vulnerabilities are Microsoft, Adobe, and Apple. It’s very interesting, to me at least, that while Microsoft and Apple both have multiple operating systems and applications in their portfolio, Adobe only makes applications and yet came in second. And while Linux fans may feel smug reading the top three, if you add up all the various distributions’ vulnerabilities, they do come in at number four. Some specific Linux distros had more vulnerabilities than some specific Windows operating systems. There are no winners here, and by raising awareness we’re trying to be sure there are no losers.
I have been dealing with security accreditations across multiple US federal government and financial industry players for the past two years. One surprising thing I have found is this. They don’t care whether a vulnerability is categorized by the vendor as being a High, a Medium, or a Low, or whether updates are Critical or Recommended or Optional. They just want to see an audit report or vulnerability scan come back with zero items found before they will even consider letting you plug it into their test network. As a result, we’re not going to worry about what level of risk the vendor places on a vulnerability. Either it is a vulnerability or it is not.
Finally, with over 8000 new vulnerabilities registered in the CVE last year, we’re not going to try to crunch all of them. If we did, we’d have to list about 2000 vendors since so many had just one. We’re going for the major players here that are likely present in every single network any of our readers administer.
2015 was another banner year for vulnerabilities, exceeding even the hype of 2014. The NVD added a total of 8822 new vulnerabilities in 2015, far exceeding 2014. Here’s how the past few years are trending.
It kind of makes you miss 2011 doesn’t it? This year, we’re going to break out the top vulnerabilities (not all 8000+ of them, just the top 5000 or so) by the following categories; Operating Systems, browsers, mobile devices, and applications. Here’s how those shake out:
From a vendor perspective, here’s how the year shook out across the top vendors, which accounted for 38% of all the vulnerabilities registered in 2015 at 3992 of the 8822.
So enough with the eye candy, let’s get to some numbers!
Let’s start the breakdown by looking at operating systems, which will include Apple’s OSX, Microsoft’s Windows, and various distributions of Linux. It’s important to note that some vulnerabilities may impact multiple versions of Windows or distributions of Linux, and we didn’t pull out these overlaps. The NVD lists each individually so that’s what we went with.
If you are running Windows 8.1, you don’t really care if a vulnerability also impacts Windows 7. You just need to get your 8.1 patched, so I took the same approach here. Of note, both the OS X versions and various kernel or distro-specific versions of Linux were put together, so we left them that way. Given the overwhelming prominence of the various Windows operating systems in the enterprise, it seems like a sensible way to go here.
It’s critical to note that Microsoft Windows 2003, which had 36 new vulnerabilities discovered in 2015, is no longer supported by Microsoft. Unless you have paid for a custom support agreement, you’d better not be running any 2003 in your environment, as that’s 36 unpatched vulnerabilities discovered.
Web browsers are particularly important to keep up with, as they are used constantly by just about every end user throughout the day, and are the gateway to attack for any number of exploits. Remember too that effective January 2016, Microsoft went to an N only support stance for Internet Explorer, which matches how Google supports Chrome, the Mozilla Foundation supports Firefox, and Apple supports Safari. If you are not running the latest version of your browser of choice, you’re in unsupported and unpatched territory, which makes that browser a ticking time-bomb.
Yes, IE had far and away the most vulnerabilities. It also has the most market share on desktops, which according to NetMarketShare was a little over half for 2015.
Of course, that looks a little different when you consider mobile devices so Android phones, tablets, and Chromebooks are doing well.
But since their browser is typically considered part of the device’s OS and not a separate product, we’re going to include those all up in the next section.Of course, that looks a little different when you consider mobile devices so Android phones, tablets, and Chromebooks are doing well.
Tablets and phones are just another form factor of computer, but since their operating systems are typically more closed, and normal end users don’t have as much administrative access to them, we’re going to call them out separately in this post.
We’re not sure if Windows Phone doesn’t show up because it’s so secure, or because it’s such a tiny slice of the market. Does anyone reading this besides me have a Windows phone? And before you leave a comment, the CVE breaks out iOS from Apple Watch and Apple TV, so then so did we.
Not to be forgotten, your favourite applications were full of vulnerabilities and in need of patching throughout 2015. These, if nothing else, scream for the need to deploy patch management software since Windows Update won’t do any of the third party apps running on your network.
With all those vulnerabilities, even Adobe is recommending everyone stop using Flash, and to be fair, given how many browsers have already stopped supporting it, the only thing most of us use it for is old games anyway.
They say knowing is half the battle, and now you know. It may be fun to bash Microsoft and talk about how insecure Windows is, but since the other two operating systems out there had more vulnerabilities in 2015 than Windows did, perhaps we should focus a little more on how to make sure all our systems, no matter which vendor they came from, are kept secure and up to date. Again, if you tally up all the vulnerabilities, the number that impact apps and browsers is greater than the number that impacts operating systems.
You can set your OS to autoupdate, but can you count on your users to update their apps too? There were over four thousand vulnerabilities last year affecting systems that are probably on your network right now. That’s over ten new vulnerabilities a day. With over 8800 in total, that’s 25 per day! And 2016 looks like it could exceed that rate. There is just no way to keep up with that unless you deploy patch management software that can automate patching of everything you use. If your boss doesn’t believe you need tools to keep up, show him these numbers and ask him or her how else you can keep up with that many new vulnerabilities a day.