Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Software Vulnerabilities Rise Again After 5-Year Decline

    By
    Robert Lemos
    -
    February 11, 2013
    Share
    Facebook
    Twitter
    Linkedin

      The number of software vulnerabilities tracked by the National Vulnerability Database in 2012 reversed a five-year decline, with software made by Adobe, Mozilla and Oracle containing the most critical flaws, according to a report released last week by NSS Labs, a technology and security research firm.

      The report found that the number of vulnerabilities grew to 5,225 in 2012, an increase of 26 percent year-over-year, as counted by their common vulnerabilities and exposures (CVE) identifiers. In 2011, reported vulnerabilities had shrunk by 36 percent from an all-time high of 6,462 in 2006.

      The turnaround indicates that software developers in general have yet to come to grips with the secure programming techniques and process necessary to permanently reduce the number of vulnerabilities found in their products, said Stefan Frei, research director with NSS Labs and the person who conducted the analysis.

      “Despite massive investments on the part of the industry, vulnerabilities are still here, and there are still lots of critical vulnerabilities,” he said.

      Oracle topped the list of vendors with the most reported vulnerabilities, with 429 security issues affecting its products. Over the past three years, Oracle’s Java has become a favored vector to attack systems, with cyber-criminal toolkits quickly adding exploits for the latest vulnerabilities in the write-once-run-anywhere platform. Apple and Google placed a close second and third, with 297 and 279 flaws disclosed in the respective company’s products.

      However, a different firm’s software contained the most critical vulnerabilities in 2012: Adobe. A perennial favorite of attackers for the ubiquity of its Acrobat PDF reader and Flash plug-in for Web browsers, Adobe accounted for 112 of the 484 vulnerabilities that had a critical severity rating and a simple means of exploitation. Mozilla and Oracle chalked up second place and third place on the list, accounting for 13 percent and 10 percent of the critical, easy-to-exploit flaws.

      Yet the analysis contains good news, as well.

      The share of the vulnerabilities that were rated highly critical declined. Frei used the Common Vulnerability Scoring System (CVSS) to rate the vulnerabilities, ranking scores 7.0 or more as high-criticality issues. In addition, since 2000, it has become more difficult to exploit the vulnerabilities: Low-complexity attacks have declined in the past decade, while medium-complexity attacks have increased.

      Four of the 10 companies with the most security issues have reduced the overall number of vulnerabilities reported in the last year, but only Microsoft had fewer vulnerabilities in 2012 than its average over the past decade.

      While there has been progress—albeit slow—in making software more secure, Websites and online services are a gray area. Because Websites and services cannot be tested legally by security researchers in the same way as source code and binaries—much of the impetus that is driving software security is missing from such services, Frei warned. Only a few Web companies, such as Google and Facebook, have invited researchers to test their systems.

      “It is a battle between market forces and expertise, and somewhere we find the balance,” Frei said. “The balance is not now very much right on the security side, but if it was an easy problem, it would have been solved by now.”

      Avatar
      Robert Lemos
      Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's written for Ars Technica, CNET, eWEEK, MIT Technology Review, Threatpost and ZDNet. He won the prestigious Sigma Delta Chi award from the Society of Professional Journalists in 2003 for his coverage of the Blaster worm and its impact, and the SANS Institute's Top Cybersecurity Journalists in 2010 and 2014.

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×