The number of software vulnerabilities tracked by the National Vulnerability Database in 2012 reversed a five-year decline, with software made by Adobe, Mozilla and Oracle containing the most critical flaws, according to a report released last week by NSS Labs, a technology and security research firm.
The report found that the number of vulnerabilities grew to 5,225 in 2012, an increase of 26 percent year-over-year, as counted by their common vulnerabilities and exposures (CVE) identifiers. In 2011, reported vulnerabilities had shrunk by 36 percent from an all-time high of 6,462 in 2006.
The turnaround indicates that software developers in general have yet to come to grips with the secure programming techniques and process necessary to permanently reduce the number of vulnerabilities found in their products, said Stefan Frei, research director with NSS Labs and the person who conducted the analysis.
“Despite massive investments on the part of the industry, vulnerabilities are still here, and there are still lots of critical vulnerabilities,” he said.
Oracle topped the list of vendors with the most reported vulnerabilities, with 429 security issues affecting its products. Over the past three years, Oracle’s Java has become a favored vector to attack systems, with cyber-criminal toolkits quickly adding exploits for the latest vulnerabilities in the write-once-run-anywhere platform. Apple and Google placed a close second and third, with 297 and 279 flaws disclosed in the respective company’s products.
However, a different firm’s software contained the most critical vulnerabilities in 2012: Adobe. A perennial favorite of attackers for the ubiquity of its Acrobat PDF reader and Flash plug-in for Web browsers, Adobe accounted for 112 of the 484 vulnerabilities that had a critical severity rating and a simple means of exploitation. Mozilla and Oracle chalked up second place and third place on the list, accounting for 13 percent and 10 percent of the critical, easy-to-exploit flaws.
Yet the analysis contains good news, as well.
The share of the vulnerabilities that were rated highly critical declined. Frei used the Common Vulnerability Scoring System (CVSS) to rate the vulnerabilities, ranking scores 7.0 or more as high-criticality issues. In addition, since 2000, it has become more difficult to exploit the vulnerabilities: Low-complexity attacks have declined in the past decade, while medium-complexity attacks have increased.
Four of the 10 companies with the most security issues have reduced the overall number of vulnerabilities reported in the last year, but only Microsoft had fewer vulnerabilities in 2012 than its average over the past decade.
While there has been progress—albeit slow—in making software more secure, Websites and online services are a gray area. Because Websites and services cannot be tested legally by security researchers in the same way as source code and binaries—much of the impetus that is driving software security is missing from such services, Frei warned. Only a few Web companies, such as Google and Facebook, have invited researchers to test their systems.
“It is a battle between market forces and expertise, and somewhere we find the balance,” Frei said. “The balance is not now very much right on the security side, but if it was an easy problem, it would have been solved by now.”