Reckless IT pros are missing security holes in non-Microsoft software

Secunia's latest Vulnerability Review 2013 (PDF) reports that 86 percent of the vulnerabilities found in the 50 most popular programs in 2012 were in non-Microsoft programs.

"Even so, IT professionals everywhere are inclined to focus on patching Microsoft programs, operating systems and just a few other programs," says Secunia. "Ignoring the threat that vulnerabilities represent in non-Microsoft programs is both reckless and unnecessary."

Not only are third-party software suppliers responsible for the vast majority of security vulnerabilities, they are responsible for an increasing share. The 14 percent of vulnerabilities found in Microsoft programs and Windows operating systems in 2012 is a dramatic improvement on the 22 percent found in 2011. The number was as high as 43 percent in 2007.

The Top 50 most popular programs comprised 29 Microsoft programs and 21 third-party programs, giving Microsoft a 58 percent share of the software under consideration. Microsoft's 14 percent share of the vulnerabilities was made up of 5.5 percent found in operating systems and 8.5 percent found in other Microsoft programs.

Of the 21 third-party programs, 1,137 vulnerabilities were found in 18 products from eight vendors.

The bulk of the vulnerabilities were found in web browsers and software from the usual suspects: Apple and Adobe. Google Chrome led the way with 291 vulnerabilities, followed by Mozilla Firefox (257), Apple iTunes (243), Adobe Flash (67), Oracle Java JRE SE (66), Adobe Air (56), Adobe Reader (43), and Apple QuickTime (29).

Windows 7 had the most vulnerabilities among the Microsoft products (50), followed by Internet Explorer (41) and the .Net Framework (14).

All this warns against relying too much on numbers. Google Chrome is sandboxed to provide a high level of security, and it's updated very frequently. It's much safer than its score might suggest. By contrast, Oracle Java JRE SE has been a security disaster to the point where the most rational approach is to uninstall it, regardless of its lower score.

Secunia points out that Windows 7 had a high number of vulnerabilities last year, as "a result of the work of one security researcher, who decided to dig into one specific component, win32k.sys. By doing so, he discovered 22 vulnerabilities in 2010 and 59 vulnerabilities in 2011." Only four had been found in 2009.

No doubt all software contains bugs, if someone is prepared to dig deep enough to find them. Chrome's high number of vulnerabilities may therefore indicate that it's more secure because more bugs have been found and remediated.

On the positive side, Secunia reports that in 2012, 84 percent of vulnerabilities had a patch available on the day they were disclosed, as compared with 72 percent in 2011. Morten R Stengaard, Secunia's Director of Product Management, said: "This means that it is possible to remediate the majority of vulnerabilities. There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them."

In all, Secunia reported a total of 9,776 vulnerabilities in 2,503 vulnerable products from 421 vendors.

Needless to say, it may only take one unpatched vulnerability in one program to compromise a company's security.

The Copenhagen company gets the bulk of its data from its free Personal Software Inspector (PSI) program, which is installed on millions of Windows PCs (including mine). These PCs have, on average, 72 programs installed. Secunia says these programs vary "from country to country and region to region" so it's simpler to focus on the 50 most common ones.

PSI makes regular checks to see if a PC contains any programs that do not have the latest patches installed, and makes it easy for users to patch them. This is important since not all vendors provide scheduled updates, and they may not notify users when patched versions are released.

Secunia also sells a Corporate Software Inspector (CSI) and is currently beta-testing a small business version of its product.