The vulnerability species: Origin and evolution

There is an on-going arms-race in the IT security industry between vendors striving to produce secure software, and researchers’ and cybercriminals’ efforts (and successes) in finding new vulnerabilities in software. The number of vulnerabilities in general over the last five years reached over 4,300 on average per year with no significant up- or downward trend. During the period from 2009 to 2010, the number actually decreased by 3%. Therefore it is fair to say that, on a large scale, the security ecosystem appears to be in a sort of state of equilibrium regarding the current rate of vulnerabilities. Vulnerabilities are counted as the number of unique CVEs.

However, computer users cannot be complacent. Significantly, Secunia’s Yearly Report for 2010 revealed that out of more than 4,000 vendors on the market today, just 14 vendors with products in use on millions of private and corporate systems daily, were responsible for over half of the vulnerabilities discovered in the last two years: Adobe Systems, Apache Software Foundation, Apple, Cisco, Google, HP, IBM, Kernel.org, Microsoft, Mozilla Organization, Novell, Oracle (includes Sun Microsystem, BEA, and Peoplesoft as a result of recent acquisitions), RealNetworks, and VMware.

The evolving vulnerability threat
Unfortunately vulnerabilities are still the “Achilles’ Heel’ of any IT system particularly for end-point PCs. An alarming trend for this sub-section was also highlighted: cybercriminals are now focusing their specific efforts on end-users. Vulnerabilities on end-points are commonly exploited when users visit a malicious website (with content controlled or injected by an attacker), or open data, files, or documents with one of the numerous programs and plug-ins installed on their end-points. The sheer variety and prevalence of programs found on typical end-points, coupled with unpredictable user usage patterns, make end-points an attractive and easy to exploit target for cybercriminals.

In order to better understand the risk and security challenges most private or corporate Internet users face on a daily basis, data taken from anonymous 2010 scan results from users of the Secunia Personal Software Inspector (PSI) was analyzed. We found that 50% of users typically have more than 66 programs from more than 22 different vendors installed on their end-points. To further track the security of typical users, we used a representative portfolio of software typically found on end-points.

End-point security under the microscope – The typical top 50 software portfolio
A representative software portfolio containing the Top-50 most prevalent programs typically installed on end-points consists of:

  • Programs from 14 different vendors – 26 programs from Microsoft, 24 programs from third-party (non-Microsoft) vendors
  • Each program in this representative portfolio has at least a 24% prevalence
  • Eight programs from three vendors have more than a 80% user share (e.g. Internet Explorer, .Net Framework, Sun/Oracle Java, Adobe Reader, and Adobe Flash).

In contrast to the decrease in the general number of vulnerabilities between 2009 and 2010, an alarming trend is evident: vulnerabilities specifically affecting the typical top 50 software portfolio have increased almost four-fold in three years, or by 71% in the last 12 months alone.

Operating system vs. third-party vs. Microsoft
From 2009 to 2010 the observed increase of vulnerabilities in the top 50 software portfolio occurred irrespective of the choice of operating system. In fact, results showed that the operating system accounts for only 13% of vulnerabilities on the end-point, on average. Significantly, third-party (non-Microsoft) programs are found to be almost exclusively responsible for this significant increase in vulnerabilities. They by far outnumber vulnerabilities in the operating system or vulnerabilities in Microsoft programs.

For example, in 2010 an end-point with the top 50 portfolio and Windows XP had: 3.83 times more vulnerabilities in the 24 third-party programs than in the 26 Microsoft programs, and 5.22 times more vulnerabilities in the 24 third-party programs than in the operating system.

Criticality and impact
Most of the vulnerabilities from 2009 to 2010 identified in the top 50 Software Portfolio were classified as “From remote”, allowing an attacker to compromise the end-point remotely over the network. In terms of the criticality analysis, more than 70% of the vulnerabilities were classified as either “Highly critical” or “Extremely critical”, whereas the classification “Highly critical” increased the most from 2009 to 2010. More than 50% had “System access” as the impact classification, which allows the attacker to have full control of the system. The number and severity of the vulnerabilities affecting a typical end-host increased from 2009 to 2010.

Patching complexity
The typical end-point was affected by between 148 to 163 security events per year due to vulnerabilities in the portfolio. Security events, counted as the number of Secunia Advisories, estimate the specific number of administrative actions required to keep a product secure throughout a given period of time. Thus, users need to install approximately 150 patches per year to keep their end-points secure, which is an impossible task to do manually, especially considering the number of different update mechanisms involved. With programs from 14 different vendors, users have to master approximately 14 different update mechanisms to keep their end-points secured and patched:

  • Microsoft update to patch the operating system and the 26 Microsoft programs, thereby covering 31% of the vulnerabilities in 2010
  • Another 13 update mechanisms to patch the remaining 24 third-party programs, thereby covering 69% of the vulnerabilities in 2010.

Unfortunately vendors do not share update processes or procedures. The number of vendors deploying and promoting effective update mechanisms is quite limited – it includes Microsoft, Google, Mozilla Foundation, Adobe, and possibly a few more, but the overall picture of all vendors (also most of the more popular vendors), is that the updating of programs on end-points is largely neglected and left to the user.

However, users can no longer offload all responsibility onto vendors’ shoulders, and can in fact take the lead in a large proportion of cases. In the last two years 66% of vulnerabilities had a patch available on the day of disclosure and could have been fixed on the spot. This highlights the current lack of vendor-user communication and a unified patch process used industry-wide – users are either unaware, or simply overwhelmed, by the complexity and frequency of the process needed to keep the dozens of third-party programs found on a typical end-point secure. This almost certainly leads to incomplete patch levels.

Common misperceptions
Users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring third-party programs. However, data from the Secunia PSI shows that less than 2% of the Microsoft programs were found to be insecure while third-party programs ranked between 7% and 12%, indicating that patch complexity has a measurable effect on end-point security.

Anti-virus and perimeter protection are established and necessary defence technologies which enjoy a high priority, whereas patching is often viewed as a secondary security measure. Anti-virus has limitations and is not as effective as commonly perceived; because cybercriminals know how to create and deploy malware that can systematically bypass anti-virus detection. However, a security patch provides better security than any number of anti-virus or other detection signatures as a patch eliminates the root cause and therefore both should be used.

Risk reduction
Software vendors are still unable to release vulnerability-free software at large, highlighting the continued need for effective vulnerability management. Vulnerabilities affecting a typical end-point pose a real threat to the end-user’s host. From an attacker’s perspective, targeting third-party programs proves to be a rewarding path and will probably remain so for an extended period of time. The lack of effective update mechanisms expose end-users to significant risks as vulnerable software tends to “survive” for a long time before being updated for other reasons than security, thus leaving the user exposed for prolonged periods of time and providing criminals with ample time to exploit the vulnerabilities.

End-users and businesses need to become more aware of the dangers of third-party software by increasing their know-how about the latest issues and subscribing to scheduled intelligence sources; and effective patching should be prioritized according to the evolving threat landscape. Unified and automated patching mechanisms, such as the free Secunia PSI, make handling vulnerabilities easier for end-users by automatically scanning systems for insecure programs, then downloading and installing the required security patches all in one go.

Don't miss