Secunia recorded 15,435 software vulnerabilities in 3,870 applications during 2014, according to its annual Vulnerability Review 2015, released this week.
This represented an 18 percent increase in vulnerabilities and a 22 percent increase in programs compared with 2013. But if you asked people to name the programs with the most vulnerabilites, they probably wouldn't get them right... unless they'd read an earlier Secunia report.
Google Chrome headed the list with 504 vulnerabilities, followed by Oracle Solaris (483), Gentoo Linux (350) and Microsoft's Internet Explorer (289). Apple's Mac OS X placed 13th with 147 vulnerabilities, with Microsoft's Windows 8 in 20th place (105).
Only two Microsoft programs made the Top 20 list of core programs, which was dominated by IBM, with eight entries. Tivoli Endpoint Manager was Big Blue's worst performer, with 258 vulnerabilities earning it 8th place. It was followed by Tivoli Storage Productivity Center (231), IBM Websphere Application Server (210), IBM Domino (177), IBM Lotus Notes (174), IBM Tivoli Composite Application Manager For Transactions (136), IBM Tivoli Application Dependency Discovery Manager (136), IBM Tivoli Application Dependency Discovery Manager (122), and IBM Websphere Portal (107) - see table below.
Programs from the same company may well share vulnerabilities, so IBM's performance is probably not as bad as it looks. Also, recording a large number of vulnerabilities doesn't mean a program is necessarily insecure: finding and fixing vulnerabilities helps make Chrome the most secure browser. However, it does mean you need to take patching seriously.
Fortunately, "time to patch" is still being reduced. Secunia reports that out of 15,435 vulnerabilities, "a full 83 percent had a security patch available on the day the vulnerability was disclosed to the public".
As usual, non-Microsoft programs were responsible for the majority of vulnerabilities on PCs, though Microsoft's performance dipped. According to Secunia, Microsoft applications (including the Windows 7 operating system) accounted for 69 percent of the products in the Top 50 programs most frequently installed on PCs, but were only responsible for 23 percent of the vulnerabilities. That might sound good, but Microsoft had driven the number down from 43 percent in 2007 to just 14 percent in 2012.
Windows 8 was obviously the version with most vulnerabilities, but the number fell from 156 in 2013 to 105 in 2014. Windows 7 did even better, with the number falling from 102 to 33. Windows XP went from 99 in 2013 to 5 in 2014, mainly because Microsoft stopped supporting it in April.
As usual, web browsers had the most vulnerabilities in the Top 50 programs. Google's Chrome came top with 504 recorded vulnerabilities, well ahead of IE (289) and Mozilla's Firefox (171). These were followed by Oracle Java JRE (119), Adobe Flash Player (99), Apple iTunes (84), Adobe Air (59), Adobe Reader (43), Microsoft Windows 7 (33), Apple QuickTime (14) and Microsoft Word (13). For the record, Apple's Safari had 92 recorded vulnerabilities
Happily, it's possible to live without any Adobe or Apple software on Windows PCs except, probably, a Flash Player in the browser. Many people can also live without the Java JRE, though Secunia found it on 79.1 percent of the PCs surveyed.
But the biggest security disasters of the year were in open source software with HeartBleed, SSL and ShellShock. Secunia notes that these problems "brought attention to a previously neglected potential security issue: the use of open source applications and libraries in IT environments." It adds: "It is therefore important to be aware of which open source libraries are in use in an environment, and to have a solid mitigation strategy in place. Because the applications that use these libraries are not always patched - often, they are not even reported vulnerable."
Secunia gets the bulk of its data from its free Personal Software Inspector (PSI) program, which is installed on millions of Windows PCs (including mine). PSI makes regular checks to see if a PC contains any programs that have not had the latest patches installed, and makes it easy for users to patch them. This is important since not all vendors provide scheduled updates, and they may not notify users when patched versions are released.
Note: the presentation of the online version of the report is dramatically different from the downloaded PDF version. The numbers are the same but the online graphics are much more striking.