Microsoft Subnet An independent Microsoft community View more

Third-party software, not Microsoft's, blamed for 76% of vulnerabilities on average PC

33 of 50 most popular software programs were Microsoft's in 2013, but a security firms says it's the other 17 third-party programs that are to blame for the majority of vulnerabilities on the average PC.

Don't blame Microsoft if your PC is insecure, because three quarters of reported security vulnerabilities in 2013 were found in third-party software and not Microsoft programs. Yet also according to the Denmark-based security firm Secunia that analyzed vulnerabilities in the top 50 most-used software products, the number of holes in Windows 7 and XP doubled in 2013 and Windows 8 was the operating system with the most vulnerabilities. While that might be a bit of a head-scratcher, both Microsoft employees people who love Microsoft and Microsoft haters can pluck out some numbers from Secunia's annual report to make them happy.

After scanning PCs with its Personal Software Inspector (PSI) tool, Secunia found that the average computer has 75 programs installed on it. The company's report focuses on the 50 most common software products found on the computers.

Overall for 2013:

"2,289 vulnerable products were discovered with a total of 13,073 vulnerabilities in them." Of those, "1,208 vulnerabilities were discovered in 27 products in the Top 50 portfolio." There were 727 vulnerabilities "discovered in the 5 most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera, Safari."

Top 25 most vulnerable software in 2013, Secunia report

As you can see in Secunia's top 25 most vulnerable software products, only eight of those were third-party products: Adobe Flash Reader at #5, Adobe Reader at #7, Oracle Java JRE at #10, Firefox at #16, Chrome at #17, RealTek AC 97 at #23, Adobe Air at #24, and Apple Quicktime at #25.

There are only 17 third-party products that made it onto the top 50 most common software list. Of those 17 third-party programs, 10 were vulnerable. Put another way, those 17 programs accounted for only 34% of the software on most PCs, yet were also responsible for 76% of the vulnerabilities discovered in the top 50.

33 Microsoft programs were included in the top 50 most common; 17 were vulnerable. Put another way, Microsoft programs accounted for 66% of the top 50 products, but were only responsible for 24% of the vulnerabilities.

Now, let's look at Microsoft specific vulnerabilities according to the 2014 Secunia Vulnerability Review [pdf]. "The increase of vulnerabilities in Windows: Data reveals that the dip in the number of vulnerabilities recorded in Windows 7 and Windows XP in 2012 (50 and 49) has been reversed, with the number rising back up to 102 and 99 vulnerabilities respectively in 2013, almost on par with 2011 figures."

Secunia's figures, covering Windows vulnerabilities for the last five years, shows Windows 8 was the most vulnerable. It noted, however, "the high number of vulnerabilities in Windows 8 is due to the fact that Windows 8 has Adobe Flash Player integrated into Internet Explorer. This integration is responsible for a portion of the vulnerabilities (55) detected in that operating system."

Vulnerabilities in Windows for the last 5 years

 

Microsoft programs: There were significantly more vulnerabilities reported in Microsoft programs in 2013 compared to the previous year: the share went up from 8.4% to 15.9%. The actual vulnerability count in Microsoft programs was 192 in 2013; 128.6% higher than in 2012.

Secunia said 86% of the vulnerabilities within the top 50 software products had a patch ready to be deployed on the same day that the vulnerability was disclosed. Of the top 50 programs, there are 10 zero-day vulnerabilities actively being exploited that do not have a patch.

Secunia CTO Morten R. Stengaard said in a press statement:

It is one thing that third-party programs are responsible for the majority of vulnerabilities on a typical PC, rather than Microsoft programs. However, another very important security factor is how easy it is to update Microsoft programs compared to third-party programs.

“Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services – ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products,” Stengaard added. “This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available.”

So, Secunia says don't blame Microsoft if your computer is vulnerable. But in my book, you can blame Microsoft if you want to so long as you patch ASAP and do your best to keep you and your machine from being hacked.

You might be interested in Biased software vulnerability stats praising Microsoft were 101% misleading, what the Open Source Vulnerability Database had to say after reviewing the Secunia Vulnerability Report.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.