by Stefan Frei - Research Analyst Director, Secunia - Monday, 24 January 2011.
There is an on-going arms-race in the IT security industry between vendors striving to produce secure software, and researchers’ and cybercriminals’ efforts (and successes) in finding new vulnerabilities in software. The number of vulnerabilities in general over the last five years reached over 4,300 on average per year with no significant up- or downward trend. During the period from 2009 to 2010, the number actually decreased by 3%. Therefore it is fair to say that, on a large scale, the security ecosystem appears to be in a sort of state of equilibrium regarding the current rate of vulnerabilities. Vulnerabilities are counted as the number of unique CVEs.
However, computer users cannot be complacent. Significantly, Secunia’s Yearly Report for 2010 revealed that out of more than 4,000 vendors on the market today, just 14 vendors with products in use on millions of private and corporate systems daily, were responsible for over half of the vulnerabilities discovered in the last two years: Adobe Systems, Apache Software Foundation, Apple, Cisco, Google, HP, IBM, Kernel.org, Microsoft, Mozilla Organization, Novell, Oracle (includes Sun Microsystem, BEA, and Peoplesoft as a result of recent acquisitions), RealNetworks, and VMware.
The evolving vulnerability threat
Unfortunately vulnerabilities are still the ‘Achilles’ Heel’ of any IT system particularly for end-point PCs. An alarming trend for this sub-section was also highlighted: cybercriminals are now focusing their specific efforts on end-users. Vulnerabilities on end-points are commonly exploited when users visit a malicious website (with content controlled or injected by an attacker), or open data, files, or documents with one of the numerous programs and plug-ins installed on their end-points. The sheer variety and prevalence of programs found on typical end-points, coupled with unpredictable user usage patterns, make end-points an attractive and easy to exploit target for cybercriminals.
In order to better understand the risk and security challenges most private or corporate Internet users face on a daily basis, data taken from anonymous 2010 scan results from users of the Secunia Personal Software Inspector (PSI) was analyzed. We found that 50% of users typically have more than 66 programs from more than 22 different vendors installed on their end-points. To further track the security of typical users, we used a representative portfolio of software typically found on end-points.