Did the number of vulnerabilities reported in IBM products jump by 400% from 2012 to 2013?
That finding comes from a new study, released Wednesday by vulnerability management security firm Secunia at the RSA conference, of the top types of software vulnerabilities facing enterprise networks. That information is crucial for helping IT administrators prioritize which applications and operating systems to patch first.
Overall, Secunia received reports on 13,073 new vulnerabilities in software products in 2013 -- comprising 2,289 products from 539 different vendors -- and said 16.3% of the bugs were rated "highly critical," meaning they can be used to remotely exploit systems. Finally, 0.4% of the vulnerabilities rated as "extremely critical," meaning bugs that could remotely exploit systems and which were also being actively targeted by in-the-wild attacks.
From 2012 to 2013, the total number of vulnerabilities seen by Secunia increased by 32%. Secunia officials said the spike largely stemmed from vulnerabilities reported in IBM products jumping from 772 bugs in 2012 to 4,181 bugs in 2013. Of those, 74% could be used to attack a remote network, 20% a local network, and 7% a local system.
[Don't miss any of the news coming this week from the annual RSA Conference. See RSA Conference 2014: Complete Coverage.]
Asked to comment on Secunia's findings, IBM offered a different set of statistics, based on counting any given vulnerability, even if present in more than one of its products, only once. "It's important that these vulnerabilities are measured accurately," said IBM spokeswoman Nicole Trager via email. "IBM reports unique vulnerabilities -- each unique vulnerability could affect more than one IBM product."
Using that approach, the total number of vulnerabilities reported in IBM's products increased by 260%, rather than the 400% seen by Secunia. "In 2012, there were approximately 250 vulnerabilities reported by IBM," Trager said. "In 2013, there were approximately 650 vulnerabilities reported by IBM. In both 2012 and 2013, approximately one-third of these vulnerabilities are Java vulnerabilities."
Regardless of whether the Secunia or IBM approach is used to count bugs, what accounts for the significant increase in the number of vulnerabilities that were found in IBM's products last year? "Honestly, we don't know," said Morten Stengaard, CTO of Secunia, in an interview at the RSA information security conference this week in San Francisco. One potential explanation is that there were more third-party products bundled into IBM's offerings, in which bugs were found. But Stengaard said the increase doesn't seem to square with a sudden spike in third-party software vulnerabilities being reported, for example in Java.
The IBM question aside, there is good news in the report. Secunia found that a patch was released for 79% of all vulnerabilities on the same day that the vulnerability was publicly disclosed, compared to 70% in 2012. Likewise, 86% of the vulnerabilities discovered in the top 50 most popular products and operating systems were also patched on the day of disclosure, although that was a slight decrease from 90% in 2012. Regardless, fast patching is good news for IT administrators, because it means they can apply patches before attackers have a chance to reverse-engineer and exploit the underlying vulnerabilities.
As that suggests, patch management is a never-ending task, involving not just Microsoft's monthly Patch Tuesday -- which also typically sees patches issued by Adobe, for example for Flash and Shockwave -- as well as quarterly patches from Oracle, and all the patches vendors issue on a purely ad hoc basis.
Continuing an ongoing trend, in 2013 Microsoft's products -- which made up 33 (66%) of the 50 most popular applications -- accounted for a relatively low number of vulnerabilities. For example, of the vulnerabilities affecting the 50 most-used PC applications on private PCs in 2013, Secunia found that only 16% of the bugs affected Microsoft products or operating systems, up from 8% in 2012. The increase was largely due to Windows 8 bundling more third-party software than Windows 7, as well as more Microsoft applications being among the top 50. The other vulnerabilities affected operating systems (5.5% of all total vulnerabilities) but were overwhelmingly due to non-Microsoft applications (86%).
What's the takeaway from those findings? According to Secunia's Stengaard, many IT managers put the greatest emphasis on patching Microsoft and Adobe applications: "So on Patch Tuesday, they go to work, but then they're only mitigating 25% of the risk."
What happens, however, if a vulnerability is reported, but no patch is yet available? In that case, when possible, consider uninstalling the vulnerable application and using an alternative. For example, Secunia CEO Peter Colsted, in an interview at RSA, said that after a zero-day attack against Adobe Reader surfaced last year, Secunia deleted the application from its employees' PCs and temporarily installed an alternative, free PDF reader instead. About a week later, after Adobe released a patched version of Reader, Secunia reinstalled the software.
Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014. View Full Bio