Less Well-Known Enterprise App Flaws Pose Big Threat, Says Report
While commodity attack tools focus on vulnerabilities in Adobe Flash and Java, security flaws in IBM, Oracle and VMware products occur more frequently, finds security firm Secunia.Microsoft and Adobe both released patches for critical vulnerabilities on Dec. 9, the final Patch Tuesday of the year, but other companies, such as IBM and Oracle, have to patch a greater number of flaws each quarter, according to an analysis by security firm Secunia. In its third-quarter report released on Dec. 9, the vulnerability-management firm cataloged more than 1,814 software security flaws. IBM, with its suite of enterprise software products, had to deal with the greatest number of vulnerabilities, according to Secunia’s data. The data--organized into top-20 lists for August, September and October--showed that Google’s Chrome browser was the single application with the most flaws, but other top vulnerable applications each month included EMC’s Archer compliance software, Oracle’s Solaris, the Avant browser and VMware’s vCenter Server. “We often hear about the vulnerabilities in Windows, Internet Explorer, Flash and Java,” Kasper Lindgaard, director of research and security for Secunia, told eWEEK. “We don’t hear about all those other vulnerabilities that make up the 1,800 we saw this quarter.”
Triaging vulnerabilities and patches is an important process for corporate information-security groups. While patching ubiquitous software, such as Microsoft’s Internet Explorer and Google’s Chrome is important, companies also need to worry about the software critical to their specific environment, Lindgaard said. Attackers, especially those specifically targeting a company, will find ways to exploit the critical vulnerabilities in less ubiquitous software if necessary, he said.