vulnerabilitiesThe shadow of Meltdown and Spectre is still lingering over us. History has shown us that as the years go by, malware attacks are constantly on the increase and 2017 was no exception. Data compiled from the National Vulnerability Database (NVD) showed that 2017 had the highest number of vulnerability entries and with GDPR  just around the corner, we now have to keep in mind that security breaches also come with more stringent legal complications and the possibility of fines.

No software is perfect. No matter how much time and beta testing companies invest in it, hackers will always find the weakest link in the code. When vulnerabilities are found, they will keep on being are exploited. Programmers try to keep up and are always releasing patches, but it’s up to us to keep our systems patched and up to date.

Staying updated on potential threats will give you a leg up, but for now, we just want to take a look back at 2017 and see which were the most vulnerable players. As always we remind our readers that this is more an exercise of food for thought rather than trying to point the finger at which system or application is the weakest. According to a post by Emmanuel Carabott, there is no way to determine a platform’s security based on raw data alone, as that data needs first to be put into context, applied to a scenario, and then, interpreted. This is what we aim to do in this post. 

Our sources

Gathering data of all of the potential threats is a time-consuming task. Luckily, the National Institute of Standards maintains the Technology National Vulnerability Database which includes details on each Common Vulnerability and Exposure (CVE) issued. The CVE’s are then assigned a number their status is tracked as a way to standardize a method of security reporting.

This article also used data listed on the CVE Details website.

The approach

Using this data, we discovered a huge increase in the number of vulnerabilities between 2016 and 2017 where the number of vulnerabilities has more than doubled. The total amount spreads across both computer and mobile applications which averages to about 34 vulnerabilities per day for PCs and 7 per day on mobile. Google/Android top the number of vulnerabilities last year. Though the numbers are divided among several big-name vendors such as Google, Oracle, Microsoft, and IBM.

Last year, WannaCry attacked hundreds of thousands of computers worldwide by exploiting a Windows SMB vulnerability called Eternal Blue. Hackers would infect a single machine with WanaCrypt0r 2.0, and it would spread throughout a company’s whole network. The vulnerability was caught in March 2017. Unfortunately, not everyone updated their systems with the Microsoft Security Bulletin MS17-010 patch, leaving them as victims for the WannaCry ransomware.

With over 14,000 new vulnerabilities registered with CVE last year, we do not intend to go through each of them. There are over 2000 vendors and addressing them all would be overwhelming. We will focus on the major players that are likely to be a part of your network.

Summary

We have seen a significant spike in vulnerabilities in 2017. In 2016, 6,447 vulnerabilities were reported. In 2017, that number increased to 14,709

We’re going to break out the top vulnerabilities (not all 14,000+ of them, just the top 8000 or so) by the following categories; Operating Systems, browsers, mobile devices, and applications. Here’s how those shake out:

The top kinds of vulnerabilities include DoS (Denial of Service) meaning the vulnerability would allow hackers to not allow users from logging in or their computers not to work, and code execution where codes can be manipulated easily. Those are very common types of vulnerabilities, Though there was a noticeable increase in numbers considering the number of vulnerabilities assigned in 2017, the top kinds of vulnerabilities have not changed very much from 2016.

Vendors

Though Google had significantly more vulnerabilities than Oracle, the numbers below also include mobile devices. With the number of products Google has, it must be a real challenge for them to  keep up with vulnerabilities. They top out the list of having 1000 reported CVEs in 2017 with Oracle not too far behind.

Apple has decreased their numbers from our 2015 vulnerabilities report knocking them down the list by five spots. Microsoft sits in third just above IBM. 

Operating system

Operating systems span both desktop and mobile devices and include the likes of Mac OS X, Microsoft Windows, and even Android. The increase in vulnerabilities in mobile devices has gone up over the years, and we do not believe the trend is going to subside anytime soon. In 2015, Android was not even ranked in the top 15, and here it represents 23 percent of all of the operating system vulnerabilities. This shows that the more an operating system, or piece of software is used, the more it is seen as a target for hackers. 

Please note that the distro specific versions of Linux were put together in the report, so we did not alter that information. Also, if you are running Windows 8.1, a vulnerability from Windows 7 will not impact you which is why they are reported differently here.

Browsers

Web browsers are important to keep track of because this is where your employees are normally spending their time throughout the day. It is literally a gateway to attacks. All someone has to do is click a link that downloads malicious software, and your network is compromised. Though Edge had 202 vulnerabilities in 2017, it only had 3.78% of the market share according to the NetMarketShare. Chrome is currently the most used browser and has experienced a substantial increase in market share from 2015 by climbing from 27.61% to 58.9% in 2017.

Since these browsers are not on mobile devices, they were reported separately.

Mobile devices

One good thing about mobile devices is that they are relatively closed to end users, meaning there isn’t a lot of administrative rights to be enjoyed. This is why we are separating them from other kinds of devices.

vulnerabilities

Gartner reports that in 2017, Windows phones had about 1.1% of the market share. Mobile devices are dominated by Android and iPhone OS, so it is no surprise they have the bulk of the  vulnerabilities. Once again, the popularity trend of more market share = more vulnerabilities can be seen once more and with Android having around 80% market share in smartphone OS, it is not surprise it tops the list with 842 vulnerabilities.

Applications

Programs that make our business tick are last but not least. Applications were also in need of patching last year especially ImageMagick which comes in as number one. The application allowed Yahoo private mail users to view images. Unfortunately, the vulnerability was discovered by hackers, causing the “YahooBleed Bug” to emerge. To save face, Yahoo retired the ImageMagick library altogether.

We should also note that there is a very low number of vulnerabilities in Adobe Flash which we have not experienced in recent years. However, other Adobe applications topped the list right after ImageMagick. There are reports that Adobe Flash will phase out by 2020 which could indicate little development on the application.

vulnerabilities

Conclusion

Being informed of the kinds of vulnerabilities that keep your network open to potential threats is only one part of the game. It is easy for us to put companies like Microsoft and Google on the spot but this blog actually shows how much work is being done by the vendors to patch vulberavilties in order to keep our networks safe. What sysadmins should focus on is a strategy to keep their networks safe. Using technology every day is a part of your business. There are only a handful of options. No network is safe.

Though patch management is the best way to ensure your systems stay intact and in working order, it was reported that last year that 78% of the vulnerabilities are fixed which keeps your business a safer from attacks. Knowing how hackers can infiltrate your networks is the other half.

The number of vulnerabilities continues to go up every year and keeping up with patches is daunting. Try using a patch management system like GFI LanGuard to take inventory of all of the machines connected to your network and deploy patches as soon as they are available. This way, you know what is up to date and what is not.