Freely subscribe to our NEWSLETTER

Vulnerabilities are a root cause of security issues – errors in software that can work as an entry point for hackers, and be exploited to gain access to IT systems. In 2016, Secunia Research at Flexera Software recorded a total of 17,147 vulnerabilities in 2,136 products from 246 vendors. The breadth of the problem illustrates the challenge faced by IT teams trying to protect their environment against security breaches without the necessary automation. For organisations to stay on top of their environments, IT teams must have complete visibility of the applications that are in use, and firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed.

The good news is that patches continue to be available for the vast majority of vulnerabilities at the time they become public. In 2016, 81 percent of all vulnerabilities and 92.5 percent of applications in the Top 50 Software Portfolio that were impacted by vulnerabilities, had patches for those vulnerabilities on the day of disclosure – all but begging for the user to take action to fix it. However, even with an increase in available patches, there was a decrease in patch rates – a clear indicator that the software supply chain is indeed broken. Software Vulnerability Management was designed to solve this problem by helping organisations identify vulnerable applications and systems in their environments so they can be prioritised, and remediate the problem via integrated patch management.

PDF Readers

The rate of unpatched PDF Readers is very high. For instance, Adobe Reader has wide adoption — ranking #31 in the Top 50 Software Portfolio and installed on 40 percent of personal computers. The application has the lion share of the market and the largest amount of vulnerabilities – yet 75 percent of its private users ran unpatched versions of Adobe Reader in 2016, despite a plethora of available patches.

Patch Rates and Zero-day Vulnerabilities

Other findings in the Vulnerability Review 2017 confirm trends from previous years: at 22, the number of zero-day vulnerabilities was a bit lower than in 2015; the split between vulnerabilities in Microsoft and non-Microsoft products in the 50 most popular applications on private PCs is at 22.5 percent and 77.5 percent. And most vulnerabilities – 81 percent – have a patch available on the day of disclosure. 30 days after the vulnerability was first disclosed, only one additional percent has a patch. Particularly for organisations with a vast array of endpoints to manage – including devices not regularly connected to corporate networks – this means that a variety of mitigating Software Vulnerability Management efforts are required, to ensure sufficient protection.

Key Findings from the Vulnerability Review 2017

Total Numbers across All Applications
1. In 2016, Secunia Research at Flexera Software recorded a total of 17,147 vulnerabilities in 2,136 products from 246 vendors.
2. 81 percent of vulnerabilities in all products had patches available on the day of disclosure in 2016.
3. 22 zero-day vulnerabilities were discovered in total in 2016, a decrease of 4 compared to the year before.
4. 18 percent of the 3,416 advisories released in 2016 were rated as ‘Highly Critical’, and 0.5 percent as ‘Extremely Critical’.
5. In 2016, 713 vulnerabilities were discovered in the five most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari[1]. That is a 27.5 percent decrease from 2015.
6. In 2016, 289 vulnerabilities were discovered in the five most popular PDF readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

The 50 Most Popular Applications on Private PCs

7. 1,626 vulnerabilities were discovered in 25 products in the Top 50 most popular applications on private PCs.
8. 77.5 percent of vulnerabilities in the 50 most popular applications on private PCs in 2016 affected non-Microsoft applications, by far outnumbering the 9 percent of vulnerabilities found in the Windows 7 operating system or the 13.5 percent of vulnerabilities discovered in Microsoft applications.
9. The 15 non-Microsoft applications only account for 29 percent of products but are responsible for 77.5 percent of the vulnerabilities discovered in the Top 50. Microsoft applications (including the Windows 7 operating system) account for 71 percent of the products in the Top 50, but were only responsible for 22.5 percent of the vulnerabilities.
10. Over a five year period, the share of vulnerabilities in non-Microsoft applications hovers around 78 percent in the Top 50.
11. The total number of vulnerabilities in the Top 50 most popular applications was 1,626 in 2016, showing a 15 percent increase in the five-year trend. Most of these were rated by Secunia Research at Flexera Software as either ’Highly critical’ (65 percent) or ’Extremely critical’ (7.5 percent).
12. 92.5 percent of vulnerabilities in the Top 50 had patches available on the day of disclosure in 2016.