Third-party programs add to PC vulnerabilities
We reported earlier this week on how financial organizations are at risk from third parties with compromised security.
It seems that the same thing applies to software. The latest review by IT security specialist Secunia shows that third-party programs are responsible for 76 percent of the vulnerabilities discovered in the 50 most popular programs in 2013.
Secunia's review looks at the top 50 programs found on private PCs including those approved and maintained by IT departments and on those BYOD devices used with or without permission. Unsurprisingly 66 percent of the top 50 are Microsoft programs, however, they only accounted for 24 percent of the vulnerabilities in 2013.
Of the total of 1,208 vulnerabilities that were discovered in 2013, third-party programs were responsible for 76 percent. Yet these programs only account for 34 percent of the 50 most popular programs on private PCs.
"It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs. Quite simply, the automation with which Microsoft security updates are made available to end users — through auto-updates, Configuration Management systems and update services — ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products. This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available," says Secunia CTO, Morten R. Stengaard.
But if organizations are alert, help to combat the threats is available. In 2013, 86 percent of the vulnerabilities discovered in the top 50 portfolio had a security update available on the day the threat was disclosed to the public, enabling companies to address the risk immediately. Though this of course relies on receiving and being ready to act on the vulnerability intelligence available.
For all products, in which 13,073 vulnerabilities were discovered across 2,289 products, 79 percent of the vulnerabilities had a patch available on the day of disclosure.
Stengaard concludes, "With these numbers in mind, we can conclude that intelligent, comprehensive and deployable patch management goes a long way towards protecting IT infrastructures. And supported by an effective risk management strategy it is possible for organizations to meet the threat posed by vulnerabilities, and to protect the business-critical and sensitive information they store in their systems".