Security vulnerability management requires a lot more than just patching software from the top ten suppliers, warns security firm Secunia.
The company’s recurring update of the top 20 vulnerable software products shows the list changes each month.
“You cannot predict what products will be making your infrastructure vulnerable next month, based on what made it vulnerable this month,” said Kasper Lindgaard, Secunia director of research and security.
“You should not assume patching the top 10 high-profile software names means you are all set and secure,” he said.
According to Lindgaard, keeping track of what makes an IT environment vulnerable is an ongoing and complex task.
“It requires a combination of vulnerability intelligence and visibility of applications, devices and business critical data in your systems,” he said.
According to Secunia’s quarterly update for May to July 2015, there were 2,211 new vulnerabilities in the top 20 during the three-month period.
The product with the most vulnerabilities was the Avant browser, and IBM was the supplier with the largest number of vulnerable products.
According to the report, the Avant browser was found to have 206 vulnerabilities during the review period and ascribes this to two factors.
First, Avant bundles both Chrome and Firefox rendering engines, which means potentially all vulnerabilities in the Chrome and Firefox browsers also show up in Avant.
Second, Avant has not released a new major version for a long time. The July 2015 version was the first since March 2015.
“This means all major versions of Chrome and Firefox released in the meantime, which amounts to 3 major versions for both Chrome and Firefox, are included and – very likely – so are all the vulnerabilities reported in these,” the report said.
According to the report, it is not known whether the patches published for those versions of Chrome and Firefox have been applied to the Avant browser.
“Due to the lack of details from Avant, Secunia Research have to assume the worst case,” the report said.
The report notes operating systems remain an interesting attack vector to anyone wishing to gain access to corporate infrastructure.
In recent months, Secunia has recorded vulnerabilities in Oracle Solaris, IBM i5/OS and F5 TMOS among others.
“This is an ever-pertinent reminder to stay on top of products from all suppliers, and not rest on your laurels once you’ve patched your Microsoft and your Linux,” the report said.
Secunia said organisations need to recognise all software, hardware, middleware and firmware is potentially vulnerable and the product name does not guarantee impregnable code.
According to the Copenhagen-based security firm, 1,993 products were recorded as vulnerable in the first seven months of 2015.
At 9,225, the total number of vulnerabilities discovered in those 1,993 products is roughly on par with the 9,560 discovered over the same period in 2014.
However, while the absolute numbers are unchanging, Secunia’s preliminary findings do indicate a shift in criticality ratings.
A slightly higher share of the vulnerabilities discovered are rated as “extremely critical” (from 0.3%to 0.5%) and “highly critical” (from 11.1% to 12.7%), while there is a drop in the “moderately critical” category (from 28.2% to 23.7%).