The shadow of Meltdown and Spectre is still lingering over us. History has shown us that as the years go by, malware attacks are constantly on the increase and 2017 was no exception. Data compiled from the National Vulnerability Database (NVD) showed that 2017 had the highest number of vulnerability entries and with GDPR just around the corner, we now have to keep in mind that security breaches also come with more stringent legal complications and the possibility of fines.
No software is perfect. No matter how much time and beta testing companies invest in it, hackers will always find the weakest link in the code. When vulnerabilities are found, they will keep on being are exploited. Programmers try to keep up and are always releasing patches, but it’s up to us to keep our systems patched and up to date.
Staying updated on potential threats will give you a leg up, but for now, we just want to take a look back at 2017 and see which were the most vulnerable players. As always we remind our readers that this is more an exercise of food for thought rather than trying to point the finger at which system or application is the weakest. According to a post by Emmanuel Carabott, there is no way to determine a platform’s security based on raw data alone, as that data needs first to be put into context, applied to a scenario, and then, interpreted. This is what we aim to do in this post.
Gathering data of all of the potential threats is a time-consuming task. Luckily, the National Institute of Standards maintains the Technology National Vulnerability Database which includes details on each Common Vulnerability and Exposure (CVE) issued. The CVE’s are then assigned a number their status is tracked as a way to standardize a method of security reporting.
This article also used data listed on the CVE Details website.
Using this data, we discovered a huge increase in the number of vulnerabilities between 2016 and 2017 where the number of vulnerabilities has more than doubled. The total amount spreads across both computer and mobile applications which averages to about 34 vulnerabilities per day for PCs and 7 per day on mobile. Google/Android top the number of vulnerabilities last year. Though the numbers are divided among several big-name vendors such as Google, Oracle, Microsoft, and IBM.
Last year, WannaCry attacked hundreds of thousands of computers worldwide by exploiting a Windows SMB vulnerability called Eternal Blue. Hackers would infect a single machine with WanaCrypt0r 2.0, and it would spread throughout a company’s whole network. The vulnerability was caught in March 2017. Unfortunately, not everyone updated their systems with the Microsoft Security Bulletin MS17-010 patch, leaving them as victims for the WannaCry ransomware.
With over 14,000 new vulnerabilities registered with CVE last year, we do not intend to go through each of them. There are over 2000 vendors and addressing them all would be overwhelming. We will focus on the major players that are likely to be a part of your network.
We have seen a significant spike in vulnerabilities in 2017. In 2016, 6,447 vulnerabilities were reported. In 2017, that number increased to 14,709
Though Google had significantly more vulnerabilities than Oracle, the numbers below also include mobile devices. With the number of products Google has, it must be a real challenge for them to keep up with vulnerabilities. They top out the list of having 1000 reported CVEs in 2017 with Oracle not too far behind.
Operating systems span both desktop and mobile devices and include the likes of Mac OS X, Microsoft Windows, and even Android. The increase in vulnerabilities in mobile devices has gone up over the years, and we do not believe the trend is going to subside anytime soon. In 2015, Android was not even ranked in the top 15, and here it represents 23 percent of all of the operating system vulnerabilities. This shows that the more an operating system, or piece of software is used, the more it is seen as a target for hackers.
Web browsers are important to keep track of because this is where your employees are normally spending their time throughout the day. It is literally a gateway to attacks. All someone has to do is click a link that downloads malicious software, and your network is compromised. Though Edge had 202 vulnerabilities in 2017, it only had 3.78% of the market share according to the NetMarketShare. Chrome is currently the most used browser and has experienced a substantial increase in market share from 2015 by climbing from 27.61% to 58.9% in 2017.
One good thing about mobile devices is that they are relatively closed to end users, meaning there isn’t a lot of administrative rights to be enjoyed. This is why we are separating them from other kinds of devices.
Gartner reports that in 2017, Windows phones had about 1.1% of the market share. Mobile devices are dominated by Android and iPhone OS, so it is no surprise they have the bulk of the vulnerabilities. Once again, the popularity trend of more market share = more vulnerabilities can be seen once more and with Android having around 80% market share in smartphone OS, it is not surprise it tops the list with 842 vulnerabilities.
Programs that make our business tick are last but not least. Applications were also in need of patching last year especially ImageMagick which comes in as number one. The application allowed Yahoo private mail users to view images. Unfortunately, the vulnerability was discovered by hackers, causing the “YahooBleed Bug” to emerge. To save face, Yahoo retired the ImageMagick library altogether.
We should also note that there is a very low number of vulnerabilities in Adobe Flash which we have not experienced in recent years. However, other Adobe applications topped the list right after ImageMagick. There are reports that Adobe Flash will phase out by 2020 which could indicate little development on the application.
Being informed of the kinds of vulnerabilities that keep your network open to potential threats is only one part of the game. It is easy for us to put companies like Microsoft and Google on the spot but this blog actually shows how much work is being done by the vendors to patch vulberavilties in order to keep our networks safe. What sysadmins should focus on is a strategy to keep their networks safe. Using technology every day is a part of your business. There are only a handful of options. No network is safe.
Though patch management is the best way to ensure your systems stay intact and in working order, it was reported that last year that 78% of the vulnerabilities are fixed which keeps your business a safer from attacks. Knowing how hackers can infiltrate your networks is the other half.
The number of vulnerabilities continues to go up every year and keeping up with patches is daunting. Try using a patch management system like GFI LanGuard to take inventory of all of the machines connected to your network and deploy patches as soon as they are available. This way, you know what is up to date and what is not.