According to a report on endpoint security released this week by Copenhagen, Denmark-based security vendor Secunia, third-party application security issues are far more problematic for users and enterprises than issues affecting Microsoft programs.
Frankly there is not much financial incitement to spend time and money on developing zero-days when there is so much vulnerable, unpatched software around.
Throughout 2012, Secunia gathered anonymous data from millions of computers that had its Personal Software Inspector (PSI) installed. The 2013 Secunia Vulnerability Review highlighted the vulnerabilities identified in the 50 most common programs -- 29 of them from Microsoft and the rest from other, third-party vendors -- installed on those computers.
A whopping 86% of the vulnerabilities found in the top 50 programs affected third-party programs. Among the most exploited third-party programs are the usual suspects, including Oracle Corp.'s Java and Adobe Systems Inc.'s Flash and Reader applications.
Of the vulnerabilities identified, 80% had a patch available for them on the day they were disclosed, representing an increase of 8% from the number reported in 2011. However, Secunia's experts estimated that this number is unlikely to improve further, meaning that enterprises must go beyond patch management to solve these issues. As for the programs left with unpatched vulnerabilities, Thomas Kristensen, chief security officer at Secunia, recommended enterprises take a hard look at the third-party applications deployed to determine whether they are worth the risk, and if not, whether they can be replaced by more secure alternatives.
"There are only two ways to secure these programs: deploy patches or refrain from installing them," said Kristensen in an email interview with SearchSecurity. "For organizations, it is necessary to assess whether the programs are business-critical -- if not, it is worth considering not using them in the organization at all."
Despite concern in security circles over zero-day vulnerabilities, Secunia noted that the number of zero-days declined year-over-year. Only eight zero-day vulnerabilities were identified in 2012, down from the 14 discovered in 2011. For Kristensen, this indicates the economic realities of hacking and the poor state of software security in general.
"Vulnerabilities are much cheaper and easier to use than zero-days," he said. "Frankly there is not much financial incitement to spend time and money on developing zero-days when there is so much vulnerable, unpatched software around."
On the flipside, Microsoft was commended in the report for continuing to improve the security of its applications. While its XP operating system once served as the punching bag of choice for attackers, Secunia reported that the share of vulnerabilities affecting Microsoft programs fell from 43% to 14% in the past five years.
Users must demand application security
Web browser security is one of the bright spots in the Secunia report. While more vulnerabilities were reported for the most popular browsers, patches were generally made available quickly, which, in part, serves to highlight the highly competitive software vendor market. Though history suggests that security isn't a selling point, Kristensen feels that users do value security when it comes to Web browsers.
"Security has been a primary competitive parameter. … If you provide an insecure browser, you lose market share, because in a competitive market, users go across the street to the competition," he said. "With programs like Java and Flash, users have no alternatives, which is why they survive despite their many insecurities."
When consumers don't demand that their products be secure, the result is the current state of SCADA software security, which the report compares to mainstream software security from 10 years ago. The number of SCADA software vulnerabilities has risen over the last five years, but more worryingly, updates are described as "erratic." SCADA and industrial control system (ICS) security issues have emerged in recent years as the subject of national security concerns, with stories of critical infrastructure failing under the pressure of cyberattacks. While Kristensen believes SCADA software does represent a security threat, he feels customers can pressure SCADA developers much like Web browser developers to increase security.
"Customers must start making demands of the software vendors. SCADA software is never as exposed as browser products, but there is always money involved," he said. "SCADA customers must and can demand the products they pay for are secure; this should be stipulated in the contract. Money talks, and customers have influence over the quality of the products they pay for."