Secunia yearly report of vulnerabilities- 2011

Date: 2012-03-11
The security company Secunia has published a report to statistically analyze the vulnerabilities of the year 2011 and compare it with the previous years. You can read a brief of this report here.
A brief history of global vulnerabilities (2006-2011)
Analysing the long-term and short-term trends of all products from all vendors in the Secunia database over the last six years reveals that the total number of vulnerabilities decreased slightly in 2011 compared to 2010.
On average, 3,550 Secunia Advisories, 4,645 CVEs, and 8,663 vulnerabilities were counted in the years from 2006 to 2011. These vulnerabilities subsequently affected, on average, 2,975 products from 568 different vendors in this period.
The next figure concludes that the year 2006 still stands out as the all-time high with respect to these metrics. It can be observed that, except for the Secunia vulnerability count, all metrics show a decreasing trend in the long-term (5 years) and short-term (2010 vs. 2011) of between 5% and 24%. It should be noted that analysing vulnerability counts covering all products includes a large number of rare products and web applications that are not in typical everyday use in organisations or on private systems. However, from this high-level perspective it is clear that, globally, the exponential growth in vulnerability numbers observed up to 2006 has essentially flattened.
Criticality and attack vector
Next figure displays the criticality rating3 and attack vector4 for all Secunia Advisories released in 2011. More than half of the vulnerabilities in 2011 were rated as “Medium”, “Highly”, or “Extremely critical”.
The prevalence of the medium- to high-level criticality ratings in combination with the attack vector, as reported in the last figure, clearly shows that the majority of these vulnerabilities represent a genuine threat with an increased risk of system compromise. Significantly, most of the vulnerabilities are exploitable from a remote network and nearly 20% of the vulnerabilities are rated as “Highly” or “Extremely critical”. This demonstrates that the majority of the vulnerabilities are relevant and require urgent, dedicated attention from a risk management perspective, particularly as attackers only need a single exploitable vulnerability to compromise the entire end-point.
While the observed high-level global trend of decreasing vulnerability counts (all products from all vendors) is encouraging, it should be noted that in absolute terms, the numbers remain considerably large. These high vulnerability counts, paired with the high criticality ratings, indicate that accurate information about vulnerabilities is an essential, security-critical requirement for effective risk assessment, prioritization, and vulnerability remediation.
The Top-20 vendors
To represent and track the evolution of the software industry, the Top-205 producers of the software (commercial or open source) with the most vulnerabilities discovered in their products in 2011, were selected.
The above figure presents the long-term and short-term trends; comparing the average number of vulnerabilities of the previous five years (2006 to 2010) to the 2011 numbers, and the 2010 numbers to the 2011 numbers respectively.
Combined, the products of these Top-20 vendors were affected by 2,227 unique vulnerabilities (CVEs) in 2011, representing 63% of all vulnerabilities discovered in 2011.
Are vendors sharing vulnerabilities?
The sum of the vendors’ vulnerabilities is larger than 2,227 (the number of unique CVEs for the Top-20 vendors in 2011) as many vendors share products, code, or common libraries.
Many products (especially in the open source community) are shared freely and are based upon common software libraries. For example, Linux distributions are a sample of a large collection of open source programs and libraries that are assembled, tailored, and distributed as a bundled product. Many such open source products are also used by commercial vendors; for instance Apple’s Mac operating system 10 (Mac OS-X), which is based on FreeBSD and therefore contains a lot of open source components.
Software Is Under Attack
Over the last few years vulnerabilities affecting typical end-points more than tripled to over 800 – the majority of these (79%) were found in third-party (non-Microsoft) programs. Third-party programs are considerably more difficult to patch as several different update mechanisms are required to do so. Only securing the operating system (OS) and Microsoft programs leaves end-points at considerable risk. However, the power to protect end-points is in the hands of all users as 72% of the vulnerabilities had a patch available on the day of vulnerability disclosure.
It is estimated that, today, more than 2 billion users have access to the Internet. This equates to approximately 31% of the Earth’s population7 . With such a high number of potential victims, it becomes clear that end-points have become a primary target for cybercriminals. Even a very low chance of a successful attack can potentially compromise a large number of end-points and turn them into botnets controlled by cybercriminals.
The Top-50 software portfolio under the microscope
The charts reveals that 50% of users were found to have more than 66 programs installed from more than 22 different vendors. To track the security of a typical user in light of this diversity of software portfolios, a representative Top- 50 portfolio comprising the most prevalent products found by the Secunia PSI was built. The Top-50 software portfolio contains software from 12 different vendors; namely 28 programs from Microsoft and 22 programs from third-parties (non- Microsoft vendors).
Additionally tracking the vulnerabilities of the operating systems Windows XP (released in 2001), Windows Vista (released in 2007), and Windows 7 (released in late 2009) reveals that even though Windows 7 is currently the most prevalent operating system on end-points, the choice of operating system has only a minor impact on the total number of vulnerabilities on a typical end-point.
Analysing the number of vulnerabilities affecting a typical end-point together with the operating system highlighted an alarming trend. The number of vulnerabilities found in the Top-50 software portfolio actually increased more than three-fold since 2007 to 870 in 2011.
Furthermore, the fact that over the last six years more than 50% of these vulnerabilities were rated as “Highly” or “Extremely critical” confirms the relevance and importance of this trend. “Highly” and “Extremely critical” vulnerabilities indicate exploitable vulnerabilities that can lead to system compromise where successful exploitation does not normally require any unusual interaction from the user.
Next figure confirms that in 2011, 78% of the vulnerabilities affected third-party programs (TP); far outnumbering the 12% of vulnerabilities in the operating system (OS) or the 10% of the vulnerabilities in the Microsoft programs (MS). Significantly, the share of vulnerabilities in third-party programs continuously increased from 45% in 2006 to 78% in 2011.
Patching a typical end-point
To fully patch a typical end-point, the user (or administrator of the system) has to master at least 12 different update mechanisms, as the Top-50 software portfolio comprises programs from 12 different vendors. With one update mechanism, namely “Microsoft Update”, the operating system and the 28 Microsoft programs can be patched to remediate 22% of the vulnerabilities.
In addition to this, another 11 update mechanisms are needed to patch the remaining 22 third-party programs to remediate 78% of the vulnerabilities.
Attacking a typical end-point
The left pane of the next figure indicates that for all Secunia Advisories affecting a typical end-point in 2011, 72% had a patch available within one day of the disclosure of the vulnerability, and 77% of the advisories had a patch available within 30 days of disclosure. This data indicates that there is limited room for 0-day exploits. The 28% of the advisories that had no patch available on the day of disclosure indicates an upper bound of potential for 0-day exploit availability. Microsoft even reports that less than 1% of the attacks in the first half of 2011 were attributed to 0-day exploits10.
Thus, organisations can hardly hide behind the threat of 0-days when a solution is available for 72% of vulnerabilities. Cybercriminals know that the availability of a patch does not imply that the patch is installed in a timely fashion.
The right pane of the last figure indeed confirms that third-party programs are consistently at a lower patch level than Microsoft programs.
Secunia Yearly Report, 2011

The Wall

No comments
You need to sign in to comment