By Stefan Frei
Secunia Security Factsheets present important security information of a given product in one consistent and standardised document. The factsheets go well beyond simple vulnerability counts by analysing the type and number of vulnerabilities, paired with information about the software vendors' ability to roll out security patches. The information is based on Secunia's Vulnerability Intelligence database and analysis of Secunia Research.
We introduced and released the first series of Secunia Security Factsheets in Q3 2010. Today we have released the factsheets for Q1 2011.
Q1 2011 Highlights
For the first time we have data for a full 12-month period for Windows 7, which was publicly released in October 2009. Looking at the factsheets of Windows XP, Windows Vista, and Windows 7, it is evident that the age of the version correlates with the number of vulnerabilities. The more recent the version of the Microsoft operating system; the lower the number of vulnerabilities it had in the last 12 months. As is common for these versions of the operating system; “System Access”, “Denial of Service”, and “Privilege Escalation” were the three most prevalent impact causes of the Secunia Advisories. The “Privilege Escalation” type of vulnerability allows the attacker to gain elevated privileges, thereby nullifying the protection sought in restrictive user permissions on the end-point.
Our factsheets also cover the five Web browsers: Internet Explorer, Mozilla Firefox, Google Chrome, Apple Safari, and Opera. We found a wide range of trends in year-on-year (YoY) vulnerability numbers amid those browsers ranging from -37% up to +167%. Furthermore, we also observed that the total number of vulnerabilities in a Web browser did not correlate with the browser's market share in the last 12 months. As with operating systems, “System Access” was the most prevalent impact class over the last year for all Web browsers. This shows the relevance and high risk of vulnerabilities to users and end-point compromise.
For both, Adobe Reader and Adobe Flash - two of the most prevalent programs to be found on any end-point - we still observe an upward trend in vulnerabilities in a year-on-year (YoY) comparison. The Secunia Advisories covering these two products were almost exclusively rated as either “Extremely” or “Highly critical”. This emphasises the importance of rapid patching of third-party programs on end-points to remediate the risk.
I hope the quarterly Secunia Security Factsheets contribute to raising awareness about the evolution of vulnerability threats, support you in your work, and help with spotting new trends early.
The factsheets are available here.
Research Analyst Director