Less Well-Known Enterprise App Flaws Pose Big Threat, Says Report

While commodity attack tools focus on vulnerabilities in Adobe Flash and Java, security flaws in IBM, Oracle and VMware products occur more frequently, finds security firm Secunia.

Big Software FlawsB

Microsoft and Adobe both released patches for critical vulnerabilities on Dec. 9, the final Patch Tuesday of the year, but other companies, such as IBM and Oracle, have to patch a greater number of flaws each quarter, according to an analysis by security firm Secunia.

In its third-quarter report released on Dec. 9, the vulnerability-management firm cataloged more than 1,814 software security flaws. IBM, with its suite of enterprise software products, had to deal with the greatest number of vulnerabilities, according to Secunia’s data.

The data--organized into top-20 lists for August, September and October--showed that Google’s Chrome browser was the single application with the most flaws, but other top vulnerable applications each month included EMC’s Archer compliance software, Oracle’s Solaris, the Avant browser and VMware’s vCenter Server.

“We often hear about the vulnerabilities in Windows, Internet Explorer, Flash and Java,” Kasper Lindgaard, director of research and security for Secunia, told eWEEK. “We don’t hear about all those other vulnerabilities that make up the 1,800 we saw this quarter.”

Triaging vulnerabilities and patches is an important process for corporate information-security groups. While patching ubiquitous software, such as Microsoft’s Internet Explorer and Google’s Chrome is important, companies also need to worry about the software critical to their specific environment, Lindgaard said. Attackers, especially those specifically targeting a company, will find ways to exploit the critical vulnerabilities in less ubiquitous software if necessary, he said.

“The attackers do not only use vulnerabilities in high-profile applications that everyone uses,” Lindgaard said. “They use vulnerabilities in the applications that your company runs in your environment.”

Companies also have to focus on software from vendors that use open-source libraries, or other firms’ products, as part of their software offerings. IBM, for example, includes third-party software, such as Oracle’s Java, in its enterprise applications, requiring an update whenever the original software is patched, Lindgaard said. Vulnerabilities in open-source products also impacted Apple, for example, whose Mac OS X accounted for the most vulnerabilities in a single product, 59 in total, in September 2014, according to Secunia.

Many vulnerabilities are not widely known because the software’s developer does not publicly disclose the issues. Lindgaard pointed to the Heartbleed vulnerability in OpenSSL as an example. About 100 vendors identified the initial flaw in 600 products and a second set of flaws in 800 products. Yet, when a third set of flaws affecting OpenSSL was announced in August, only 75 products were patched, suggesting that vendors were not as forthcoming about later disclosures.

“Consequently, not only are there products that are vulnerable and unpatched because of ‘OpenSSL Take 3,’ but they are also undisclosed. And that is really bad!” the report stated.

At the current rate of disclosure the number of vulnerabilities is on track to jump nearly 40 percent this year compared to last year, according to Secunia’s estimates.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...