Vulnerabilities in software and operating systems remain a thorn in the side for administrators around the world. A single vulnerability exploited by the bad guys can bring a company to its knees. Maintaining patched systems is a must in today’s ever-changing security landscape. Yet, in number terms, what are we looking at? What is the situation like? Has it improved or deteriorated? Are vendors fighting a losing battle? Read on for an in-depth look at some of the significant statistics on the vulnerabilities reported in 2012 (these results are compiled based on the data from the National Vulnerability Database (NVD)).
An alarming 4,347 new security vulnerabilities were reported in 2012, the highest number over the last three years. This means that last year nearly 12 new security vulnerabilities were discovered each day – when compared to the 3,532 vulnerabilities reported for 2011 (a rate of about 10 new vulnerabilities discovered every day).
If we break down the number of vulnerabilities by severity there are fewer high severity vulnerabilities than there were in 2011. It is the number of medium and low severity vulnerabilities that has consistently increased.
Around 35% of the vulnerabilities discovered in 2012 were rated as having a high severity level. This percentage of high severity vulnerabilities, while still significant and considerably higher than vendors and customers would probably like, has been on the decrease for the last five years.
A total of 1107 vendors reported vulnerabilities in 2012, with the top 10 vendors reporting 41% of vulnerabilities. If we compare this figure to previous years, we can see that hackers and security researchers seem to be focusing on a larger number of vendors, and that the percentage of vulnerabilities found by the major vendors is gradually decreasing.
Top 10 vendors by number of vulnerabilities reported in 2012:
While the above list contains almost the same vendors as it did in 2011, some of the rankings have changed. Let’s look at a few details:
» Oracle tops the chart with 424 vulnerabilities, much higher than their 262 entries in 2011. A significant number of these vulnerabilities are related to Java.
» Apple has reported the most high severity vulnerabilities during 2012. Safari, iTunes and iOS generated most of them.
» Microsoft continues to decrease the number of vulnerabilities it reported with 169 vulnerabilities, down from 244 in 2011 and 318 in 2010.
» Google had the most vulnerabilities in 2011, but now lies in sixth position with only half of the vulnerabilities they reported in 2011.
86% of reported vulnerabilities come from third party applications, 10% from operating systems and 4% from hardware devices.
Cisco is by far the most targeted among hardware device vendors. For operating systems and third party applications more details are available below.
Most Targeted Operating Systems in 2012
For the first time in several years Microsoft operating systems do not monopolize the top five positions. Windows operating systems still generate huge interest, but when compared with 2011 they have seen a drop of around half the vulnerabilities reported. They have now been surpassed by Apple iOS which saw 86 vulnerabilities – more than double the 35 entries reported in 2011. These numbers confirm that mobile platforms are garnering more and more attention from security researchers and hackers.
An interesting entry into the chart this year is VMware ESX/ESXi. The virtualization market is growing and the security focus has shifted to follow the trend.
Most Targeted Applications in 2012
The top targeted applications are, with a few minor changes, the same as in previous years. However, when compared against 2011 figures, RealNetworks RealPlayer and Microsoft Office no longer occupy the top slots. New entrants are ESR versions of Mozilla Firefox and Thunderbird, as well as FFmpeg. Click here to view and compare with statistics from 2011.
Other interesting highlights are:
» Consistently, year after year, web browsers and their add-ons continue to generate the most interest.
» 454 vulnerabilities were reported in 2012 for the top five web browsers (Mozilla Firefox, Google Chrome, Apple Safari, Microsoft Internet Explorer and Opera Browser). This figure is greater than all the vulnerabilities reported in 2012 for all operating systems combined (which had “only” 436 vulnerabilities). However, it does represent a drop over 2011 when the top five browsers accumulated 515 vulnerabilities between them.
» Mozilla Firefox had 159 vulnerabilities during 2012 making it – once again – the application with most vulnerabilities discovered for the year. The last time it held this ‘honor’ was in 2009, with Google Chrome occupying the top spot in 2010 and 2011 (and this year falling just behind Mozilla products).
» To keep systems secure, it is critical to maintain them fully patched. It is important to dedicate extra attention and assign priority to:
- Operating systems
- Web browsers
- Adobe free products (Flash Player, Reader, Shockwave Player, AIR)
- Apple applications (iTunes and QuickTime)
So how can you keep your systems secure and fully patched with little effort? Have a look at what GFI LanGuard® can do for your business today!