As a sys admin, you should try to keep abreast of all the latest and most important security updates for operating systems, applications and so long. Here is an in-depth look at some of the statistics around vulnerabilities that I collated for 2011.
To begin with, National Vulnerability Database (NVD) reports 3532 vulnerabilities in 2011. This means that last year about ten new security vulnerabilities were discovered each day. While the rate of newly discovered vulnerabilities is impressive, the good news is that the trend is on a descending path: 4258 vulnerabilities were reported in 2010 and the peak was in 2008, when almost 7000 vulnerabilities were reported.
43% of vulnerabilities discovered in 2011 are rated as having HIGH severity level. The percentage of critical issues is considerable and remains pretty constant over the years. High severity vulnerabilities usually mean that they can be exploited remotely with high impact on the targeted machines. Luckily the majority of vulnerabilities have a fix available from the vendors by the time they are disclosed to public. It is extremely important, however, to keep your network fully patched.
Vulnerabilities were reported for 722 vendors, but top 10 vendors gather 50% of vulnerabilities:
Microsoft continues to have the highest number of critical vulnerabilities, but the total number of Microsoft vulnerabilities in 2011 is down to 244 from 318 in 2010.
An interesting trend can be observed for Google that in 2011 has the highest number of vulnerabilities reported in NVD, going up to 299 vulnerabilities from 155 in 2010. The majority of them are in Google Chrome.
85% of reported vulnerabilities are in third party applications, 12% in operating systems and 3% in hardware devices.
The number of vulnerabilities discovered in operating systems and hardware devices since 2008 has remained around the same levels (400-500 vulnerabilities in operating systems and 100-200 vulnerabilities per year in hardware devices). The situation is different for third party applications, where the number of vulnerabilities has constantly lowered since 2008: in 2011 are 3091 reported vulnerabilities as compared with 6378 in 2008. Practically in 2011 were discovered 50% less vulnerabilities in third party applications than they were discovered in 2008.
Most Targeted Operating Systems in 2011
Microsoft operating systems are by far the most targeted, followed by Cisco IOS and Apple Mac OS X.
Google Android made its entry in the top this year. It will be interesting to observe its evolution in the next year as the number of Android smart phones and tablets increases at fast rate and it is expected to generate more and more interest from security researchers and hackers. The same applies for Apple iOS, which already has a good number of vulnerabilities.
Most Targeted Applications in 2011
The applications that have higher number of vulnerabilities reported in 2011 are – with small changes – the same as in 2010. Here are some highlights:
- Web browsers and their add-ins continue to generate the most interest.
- Along with the operating systems and web browsers it is mandatory to monitor and make sure they are always full patched: Adobe products (Flash Player, Reader, Shockwave Player, AIR), Java, Microsoft Office and other popular and largely spread applications like Apple iTunes, Apple QuickTime and RealPlayer
- Google Chrome remains, as in 2010, the application with the largest number of vulnerabilities reported in NVD. More than that, the number of vulnerabilities reported in 2011 almost doubled compared to 2010, from 152 to 275.
- Apple iTunes had an impressive increment of vulnerabilities discovered in 2011 as compared to 2010, from 8 to 78.