Study: Third-party apps account for 75% of vulnerabilities

Many IT pros are focused in on operating systems these days. But a report from Secunia finds the biggest risk lies outside of whichever version of Windows or OS X you might be running. 

While the upcoming end of life for XP is concerning and Apple’s quiet end of support for OS X 10.6 Snow Leopard has started the rush for upgrades, Secunia found that 75.7% of all vulnerabilities last year affected third-party applications.

By comparison, only 24.3% of these flaws were related to operating systems or Microsoft’s applications (which the study grouped together).

So shops that are focused mainly on keeping their operating systems secure are actually missing three-quarters of the threats that could be coming their way.

Windows versions are more alike than different

Another somewhat surprising finding: So far, at least, the version of Windows you’re running has little to do with the number of vulnerabilities you’re likely to find.

According to the study:

  • XP had 99 vulnerabilities in 2013
  • Vista and Windows 7 each had 102 vulnerabilities, and
  • Windows 8 had 156 – but most of those were the result of bundling a vulnerable version of Java.

Compare that to the number of vulnerabilities for third-party apps – 914 across all platforms – and you can see why patching might need to focus on this hazard more than others.

The good news

While the sheer number of vulnerabilities is concerning, the report has a silver lining: 78.6% of programs that had flaws also had a patch released the same day as when the flaw was disclosed.

That time-to-patch indicates that researchers are increasingly working closely with vendors to alert them to vulnerabilities before announcing it publicly.

And only 14 of all the vulnerabilities last year were dreaded zero-day attacks. These are attacks that are executed on a previously unknown vulnerability – in other words, when the vulnerability is discovered after it’s already too late to prevent damage.

It’s not coming from inside the building

Finally, one note of warning: While vulnerabilities can be internal (executed by users or other people on your network), the majority of attack vectors according to the study were remotely executed.

In other words, coming from hackers.

The study found that 73.5% of attacks were from remote networks compared to only 6.6% on local systems and 19.9% on local networks.

A good reminder that while internal threats are always a concern, the real goal of security should be keeping outsiders away from your data.