We here at the VRT are all about backing up opinions with facts, and there are a lot of opinions about the nature of the vulnerability landscape out there. That in mind, we decided recently to study the numbers, and put conventional wisdom to the test.
At a high level, the numbers show that while vendors are putting increasing amounts of effort into security, critical vulnerabilities such as the recent Java, PDF, and Internet Explorer 0-days are on the upswing again of late. Combined with the clear upward trend in the amount of malware being dropped via these vulnerabilities - the Sourcefire VRT now sees an average of over 200,000 unique new malware samples per day - it is clear that users need to be vigilant as ever dealing with the modern threat landscape.
Here are some further highlights from the report:
- Total vulnerabilities and highly critical vulnerabilities were up in 2012 after a significant downswing over the previous few years; 2012 was a record-breaking year for the number of most critical vulnerabilities, those with a CVSS score of 10.
- Buffer overflows continue to be the most important type of vulnerability, with 35% of the total share of critical vulnerabilities over the last 25 years.
- For the first time since 1998, Microsoft did not lead vendors in terms of vulnerabilities reported in 2012; that dubious distinction went to Oracle, whose 2010 acquisition of Sun's Java programming language, a favorite of attackers, contributed to that trend.
- Firefox had more critical vulnerabilities than Internet Explorer over the time period studied, casting doubt on the conventional wisdom that IE is the least secure browser.
- Microsoft released 13% of their patches after the CVE was published, meaning that vulnerability information was publicly available and potentially exploited before a patch was released (0-day).
You can download the full report here. We hope you enjoy our quick dive into the world of vulnerability statistics; if there's any statistics you'd like us to look into in a follow-up post, let us know in the comments.