In its latest ‘Vulnerability update' report, security firm Secunia found that there was a 40 percent increase year-on-year in the number of software vulnerabilities, with OpenSSL, Google Chrome and IBM the cause of some of the most significant flaws.
Covering the period from August to October, the firm found 1,841 vulnerabilities in the 20 most vulnerable programs, with these spanning a plethora of different criticalities and attack vectors. “Many of them had patches available on the day of disclosure, a lot of them did not,” reads the report.
IBM was the vendor with the most vulnerable products – with several of its products in the top 20 list for August, September and August (this is often because of IBM's tie-in with third-party software like Java and Open SSL) while the Google Chrome browser was the single product with the most vulnerabilities.
OpenSSL flaws were mentioned heavily in the report which, while noting quick reaction to Heartbleed, Shellshock and Poodle, added that patches had tailed off as media has lost interest in such stories.
On the ‘big three', the firm said: “Essentially, what we saw was that if you give vulnerability a catchy name and get it some publicity, all the vendors of the world scrambled to uncover if the vulnerability is in their products, and hurry to create and publish a patch for it. No publicity means no disclosure and no patches.”
To highlight this, the firm says that while 100 vendors issued patches for more than 600 products made vulnerable by Heartbleed within 40 days, less than 20 vendors took the time to patch 50 vulnerable products some months later when 'OpenSSL #3' was discovered.