alex_aldo - Fotolia

Secunia: Better vulnerability reporting doesn't mean more patches

Secunia's 2015 Vulnerability Report shows that better vulnerability reporting and awareness of flaws doesn't necessarily mean vendors offer more patches or focus on the most critical issues.

A new report shows that vendors' vulnerability reporting and communication has improved, but that hasn't translated to more patches, which in turn often leaves enterprises at risk of falling victim to attacks against known flaws.

Copenhagen, Denmark-based security provider Secunia ApS today released its 2015 Vulnerability Review, an annual look at the evolution of software security vulnerabilities. In the report, Secunia found that there were 15,435 vulnerabilities across 3,870 applications in 2014, which is an 18% increase in vulnerabilities year over year, and a 22% increase in the number of affected products.

Secunia also found that vendors bundle more vulnerability reports into each advisory than ever before. From 2009 to 2013, vendors addressed slightly more than three vulnerabilities per advisory, but in 2014 the average increased to 3.66 vulnerabilities per advisory.

According to Kasper Lindgaard, director of research and security at Secunia, vendors that bundle more vulnerabilities in each advisory make it harder for organizations to understand the risks associated with each specific vulnerability.

"IT teams need to have complete visibility of the applications that are in use," said Lindgaard, "and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed."

'If you nickname your vulnerability, the awareness will be bigger because mainstream media will jump on it.'
Kasper Lindgaarddirector of research and security, Secunia

Making it even harder to evaluate the risks of vulnerabilities, according to Lindgaard, is that when an application uses an open source third-party library, like OpenSSL, it is often difficult to know if an application is secure or needs patching because of communication issues regarding when a vulnerability is reported to a vendor and when the vendor notifies its customers.

"Customers have no chance to know what libraries are being used and what version it is," said Lindgaard. "If a vendor isn't good at reporting vulnerabilities, there will be big problems for customers."

While vendors are still having trouble communicating with customers, Lindgaard did say that the rise in reported vulnerabilities was an indication of better communication between vendors and vulnerability researchers.

"Vendors have matured and are communicating better with researchers, who can sell vulnerability reports and coordinate patches better," said Lindgaard. "This increased coordination has led to an increase in patches available on the day of disclosure."

Secunia noted in the report that, in 2014, 83.1% of vulnerabilities had a patch made available the same day the vulnerability was disclosed, which was an increase from the 78.5% seen in 2013. However, Secunia also found that only 84.3% of vulnerabilities had a patch available 30 days after disclosure, meaning if a vulnerability is not patched the day it is disclosed, customers often face a long wait.

"The most common explanations are that vendors aren't mature enough and don't care enough about security to create patches," Lindgaard said, "while others have a very long patch cycle, which could have customers waiting months."

Regarding the overall number of vulnerabilities found, Lindgaard said that there were about as many "highly critical" vulnerabilities in 2014 as in previous years, but a rise in "low to moderately critical" vulnerabilities means the high-risk issues are becoming a smaller percentage of the total.

Lindgaard also noted that the biggest vulnerability news of the year was in the "low and moderately critical" range, with a number high-profile flaws led by Heartbleed and Shellshock.

"If you nickname your vulnerability, the awareness will be bigger because mainstream media will jump on it," said Lindgaard. "Prior to Heartbleed, vulnerabilities didn't tend to be nicknamed, but after that everyone tried to nickname them, like Shellshock, Poodle, etc.

"Just because they are nicknamed and get major attention," Lindgaard added, "doesn't mean they are critical."

Secunia found that there was a significant rise in the number of zero-day vulnerabilities reported; 25 in 2014 compared to just 14 in 2013. Lindgaard said that Secunia expects zero-day reports to remain steady or even rise this year, simply because researchers are getting better at finding them.

"We expected an increase in zero-days found, because of how black-market hackers use them to attack enterprise," said Lindgaard. "Even if the numbers go down this year, it will more likely be due to not finding them, rather than them not being there."

Next Steps

Learn more about software patching myths.

Dig Deeper on Microsoft Patch Tuesday and patch management