As a follow up to last week’s blog on 2013’s vulnerability trends, we took a look at the Skybox vulnerability database to choose 2013’s top ten most vulnerable vendors. The figures are based on the number of distinct Skybox Security vulnerability catalog IDs, which map to individual CVE records.*
Looking at the top vendors ranked by total volume of published vulnerabilities, or number of critical vulnerabilities, we didn’t uncover any big surprises, especially given each vendor’s respective market share and footprint within enterprise organizations.
Microsoft, Adobe, and Oracle claim the top three positions when ranked by critical vulnerabilities in 2013. It’s interesting to compare total vulnerabilities as well as the percentage of vulnerabilities announced as critical. Oracle had the highest total number of vulnerabilities at 568, but only 18 percent of their total vulnerabilities were deemed critical. Adobe on the other hand, is seventh on the list when ranked by total vulnerabilities (153), but the vulnerabilities reported were considered critical a whopping 86 percent of the time.
These numbers paint a depressing picture ofthe extent to which enterprise networks and business data is at such great risk. With a total of 700 critical vulnerabilities in 2013 – including more than 500 from just four vendors – security personnel tasked with assessing and remediating vulnerabilities have a constant challenge to just keep up with security updates from these vendors alone.
Products from these vendors – like Adobe Reader and Oracle’s Java – are essential to nearly every large company, often embedded in network services and business processes and accessible from huge numbers of endpoints. Immediate patching may be impossible. Switching to a vendor with fewer reported vulnerabilities usually isn’t an option due to the huge cost of switching. Shielding technologies such as IPS may help, but only if there is good coverage against the vulnerabilities your organization is exposed too.
This list is good fodder for internal discussions on the best way for security personnel to control vulnerability risks, and where management time is best spent. It’s interesting that there seems to be so much hype around tools and processes to identify and respond to advanced threats (APT) and zero-day vulnerabilities, when attackers have a long list of well-documented vulnerabilities and available exploit code at their disposal to conduct a successful attack or data breach.
Clearly, vulnerability management strategy needs to focus on achieving significant risk reduction through consistent vulnerability management processes focused on these most vulnerable vendors. Routine daily management keeps risk levels from climbing out of control, plus time-critical processes need to be able to respond to critical security updates with a fast turn-around time for triage and remediation.