Freely subscribe to our NEWSLETTER

To track the security of typical users, a representative software portfolio containing the Top-50 most prevalent programs typically installed on end-points was built, based on analysis of data taken from anonymous 2010 scan results from Secunia Personal Software Inspector (PSI) users. Analysis showed that the typical software portfolio consists of programs from 14 different vendors: 26 programs from Microsoft, and 24 programs from third-party (non-Microsoft) vendors.

An alarming trend has reared its ugly head: vulnerabilities specifically affecting the typical Top-50 software portfolio have increased almost four-fold in three years, or by 71% in the last 12 months alone, irrespective of the choice of operating system. In fact, results showed that the operating system accounts for only 13% of vulnerabilities on the end-point, on average.

Significantly, third-party (non-Microsoft) programs are found to be the main culprits responsible for this significant increase in vulnerabilities. For example, in 2010 an end-point with the Top-50 portfolio and Windows XP had 3.83 times more vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs, and 5.22 times more vulnerabilities in the 24 third-party programs than in the operating system. The vulnerabilities are relevant as more than 50% are rated as “Highly” or “Extremely critical”, providing the attacker with full system access remotely over the network.

Patch complexity has a measureable effect on end-point security. Data from the Secunia PSI also showed that less than 2% of the Microsoft programs were found to be insecure, while third-party programs ranked between 7% and 12%. With programs from 14 different vendors, users have to master approximately 14 different update mechanisms to keep their end-points secured and patched: 31% of the vulnerabilities in 2010 were covered by one “Microsoft update” to patch the operating system and the 26 Microsoft programs; whereas 69% of the vulnerabilities required 13 update mechanisms to patch the 24 third-party programs.

Despite the fact that vendors do not share update processes or procedures, they are, however, only partially to blame. In a majority of cases, users actually hold the power to patch their programs firmly in their hands. In the last two years 66% of vulnerabilities had a patch available on the day of disclosure and could have been fixed on the spot. This highlights the current lack of vendor-user communication and a unified patch process used industry-wide, which almost certainly leads to incomplete patch levels.

Patching is often viewed as a secondary security measure below anti-virus and perimeter protection, which in contrast, are often viewed as top priority. Anti-virus has limitations and is not as effective as commonly perceived; because cybercriminals know how to systematically bypass anti-virus detection. A security patch provides better security than any number of anti-virus or other detection signatures as it eliminates the root cause. Therefore both should be used.

As software vendors are still unable to release vulnerability-free software at large, effective vulnerability management is crucial. The lack of effective update mechanisms expose end-users to significant risks as vulnerable software tends to “survive” for a long time before being updated for other reasons than security. Both private and corporate end-users need to become more aware of these risks and embrace the practice of regular updating. Patching mechanisms, such as the free Secunia Personal Software Inspector (PSI), remove the headache from this process by providing automated handling from vulnerability scanning through to security patch installation.

Secunia is exhibiting at Infosecurity Europe 2011, the No. 1 industry event in Europe held on 19th – 21st April at the prestigious venue of Earl’s Court, London. The event provides an unrivalled free education programme, exhibitors showcasing new and emerging technologies and offering practical and professional expertise. For further information please visit www.infosec.co.uk