Third-party programs end up culpable for three quarters of the vulnerabilities discovered in the 50 most popular programs in 2013, new research found.
Those 50 programs pervade enterprise IT infrastructures, either as integral business tools approved, monitored and maintained by IT operations – for example PDF readers and Internet browsers; or as apps on the private devices of employees and management, used in the workplace with or without permission, according to Secunia’s Vulnerability Review 2014.
In these Top 50 programs, there were 1,208 vulnerabilities. Third-party programs were responsible for 76 percent of those vulnerabilities, although these programs only account for 34 percent of the 50 most popular programs on private PCs.
The share of Microsoft programs (including the Windows 7 operating system) in the Top 50 is a prominent 33 products, or 66 percent. Having said that, Microsoft programs were responsible for 24 percent of the vulnerabilities in the Top 50 programs in 2013.
In the classic lexicon of a home seller, all you need is one buyer. The same is true for attackers: All you need is one vulnerability. One well-documented case how one vulnerability can open a door for a security breach is the U.S. Department of Energy (DoE) in 2013, which incurred costs of $1.6 million and resulted in the theft of the personal information of 104,000 employees and their families.
The DoE security breach was the result of a combination of managerial and technological system weaknesses – the perfect feeding ground for hackers, enabling them to exploit vulnerabilities present in an infrastructure.
“It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs,” said Secunia CTO, Morten R. Stengaard.
“Another very important security factor is how easy it is to update Microsoft programs compared to third-party programs,” he said. “Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available.”