Secunia recorded 15.435 software vulnerabilities in 3.870 applications during 2014, according to 2015's annual vulnerability review (Secunia Vulnerability Review 2015), released by the company this week.
The number shows an increase of 18% in vulnerabilities as well as an increase of 22% compared to the programs in 2013. But if you ask the general public to guess which are the programs with the most vulnerabilities, by all means you will probably catch them unread… if they have not read Secunia's report.
The big Google Chrome headed the 504 vulnerability list, followed by Oracle Solaris (483), Gentoo Linux (350), and Microsoft Internet Explorer (289). Apple's Mac OS X is in the 13 position with 147 vulnerabilities, while Microsoft's Windows 8 in 20 position with 105 recorded vulnerabilities.
Only two Microsoft programs are in the Top 20 of the list of core programs, which list IBM applications, in eight different cases. Tivoli Endpoint Manager has one of the worst performances that with 258 vulnerabilities "wins" the 8th place. The following applications are: Tivoli Storage Productivity Center (231), IBM Websphere Application Server (210), IBM Domino (177), IBM Lotus Notes (174), IBM Tivoli Composite Application Manager For Transactions (136), IBM Tivoli Application Dependency Discovery Manager (136), IBM Tivoli Application Dependency Discovery Manager (122), and IBM Websphere Portal (107) - see table below.
Programs from the same company may well share the same vulnerabilities, so IBM's performance is probably not as bad as it seems. Also, recording a large number of vulnerabilities does not mean that a program is necessarily insecure: finding and fixing vulnerabilities helps make Chrome more secure browser. However, this does not necessarily mean that the fix should work perfectly.
However, the time for repairs is still decreasing. Secunia reports that from 15.435 vulnerabilities, 83 percent had an update released to users as soon as vulnerability was revealed to the public.
As usual, Microsoft applications were not responsible for the majority of vulnerabilities in personal computers. According to Secunia, Microsoft applications (including the Windows 7 operating system) accounted for 69% of products in Top 50 programs that were most commonly installed on computers, but only 23% contained vulnerabilities. This may sound good, but the percentages are quite high considering Microsoft's popularity of programs.
Windows 8 was obviously the version with the most vulnerabilities, but the number decreased from 156 to 2013 to 105 to 2014. Windows 7 went even better, as the number of vulnerabilities fell from 102 to 33.
Web browsers now. They had the most vulnerabilities in the Top 50 programs. Google's Chrome came in first with 504 recorded vulnerabilities, followed by IE (289) and Mozilla Firefox (171)
Other vulnerable applications were: Oracle Java JRE (119), Adobe Flash Player (99), Apple iTunes (84), Adobe Air (59), Adobe Reader (43), Microsoft Windows 7 (33), Apple QuickTime (14) and Microsoft Word (13).
For history, Apple's Safari recorded 92 vulnerabilities
But the biggest security disasters this year came from open source software with Heartbleed, SSL and ShellShock. Secunia states that these problems "brought attention to a previously neglected dynamic security topic: the use of applications and libraries open code in IT environments.”
