The number of reported security vulnerabilities in 2013 continued to increase compared to 2012. In this post, I provide an overview of the statistics for 2013 related to software security vulnerabilities. These are compiled from data from the National Vulnerability Database (NVD).

On average, 13 new vulnerabilities per day were reported in 2013, for a total of 4,794 security vulnerabilities: the highest number in the last five years.

Vulnerabilities report

Around one-third of these vulnerabilities were classified ‘high severity’, meaning that an exploit for these vulnerabilities would have a high impact on the attacked systems. The number is higher than in 2011 and 2012, when we started to see a downward trend in high security vulnerabilities discovered.

vulnerability distribution

The vulnerabilities were discovered in software provided by 760 different vendors, but the top 10 vendors were found to have 50% of the vulnerabilities:

vendor

For the second year running, Oracle leads the pack, with 514 security vulnerabilities reported. A significant increase from 424 vulnerabilities discovered in 2012. Java alone had 193 vulnerabilities, with more than 100 of them ‘critical’.

Eight of the top 10 vendors registered a substantial increase in the number of vulnerabilities discovered in 2013. Microsoft has – by far – the most ‘high severity’ vulnerabilities, reversing the downward trend over the past few years.

vulnerability distribution by product type

Third-party applications continue to be the main source of vulnerabilities, however during the past year there has been a major increase in vulnerabilities reported for operating systems and hardware devices.

The number of hardware vulnerabilities is directly related to the number of vulnerabilities found for Cisco that – due to an important increase in 2013 – is now in the second place in top 10 vendors by number of vulnerabilities.

For operating systems and third-party applications more details are available in the table below.

Most Targeted Operating Systems in 2013

OS-table

There has been an overall increase in number of vulnerabilities for all operating systems, irrespective of brand – Microsoft or Linux..Microsoft’s operating systems once again took top spot, overtaking Apple iOS, which had the highest number of vulnerabilities last year. The number of vulnerabilities in Apple iOS increased in 2013, but went down to 10th because Windows operating systems and Linux kernel vulnerabilities increased considerably more.

Most Targeted Applications in 2013

most targeted applications

In 2013 web browsers continued to justle – as in previous years – for first place on the list of third-party applications with the most security vulnerabilities. If Mozilla Firefox had the most security vulnerabilities reported last year and in 2009, Google Chrome had the “honor” in 2010 and 2011, it is now the turn of Microsoft Internet Explorer to lead with 128 vulnerabilities, 117 of them ‘critical’.

From a security perspective, Oracle and Java had a bad year in 2013 with 193 vulnerabilities reported for Java, 102 of them critical. To make matters worse, an high number of the critical vulnerabilities in Java were zero-days flaws (they were reported before a security patch was available to fix them).

To keep systems secure, it is critical to maintain them fully-patched. Extra attention is required for (patch them first):

  • Operating systems (Windows, Linux, OS X)
  • Web browsers
  • Java
  • Adobe free products (Flash Player, Reader, Shockwave Player, AIR).