Download our in-depth report: The Ultimate Guide to IT Security Vendors
According to the Secunia Vulnerability Review 2015, 15,435 vulnerabilities were recorded in a total of 3,870 applications from 500 different vendors in 2014, an 18 percent increase in vulnerabilities and a 22 percent increase in affected products from the previous year.
Eleven percent of the 15,435 vulnerabilities discovered in 2014 were rated "Highly Critical," and 0.3 percent were rated "Extremely Critical."
Twenty-five zero-day vulnerabilities were discovered in 2014, compared to 14 the year before. Twenty of those 25 were discovered in the 25 most popular products, seven of them in operating systems.
In 2014, 1,035 vulnerabilities were discovered in the five most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari. That's a 42 percent increase from the previous year.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
And 1,348 vulnerabilities were discovered in 2014 in the top 50 most popular applications on private PCs.
Notably, 77 percent of the vulnerabilities found in the 50 most popular applications in 2014 affected non-Microsoft applications, reflecting a 42 percent increase over the course of the past five years.
"Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organizations to stay on top of their environment. IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed," Secunia director of research and security Kasper Lindgaard said in a statement.
There is some good news -- 83 percent of vulnerabilities found in 2014 in all products had patches available on the day of disclosure.
Notably, however, that percentage didn't change significantly 30 days later. "30 days on, just 84.3 percent have a patch available which essentially means that if it isn’t patched on the day of disclosure, chances are the vendor isn’t prioritizing the issue," Lindgaard said. "That means you need to move to plan B, and apply alternative fixes to mitigate the risk."
And when assessing third-party vendors, Secunia noted that there was no clear pattern to vendor response times in responding to flaws in open source applications that affected their products. "Consequently, organizations can not presume to be able to predict which vendors are dependable and quick to react, when vulnerabilities are discovered in products bundled with open source libraries," Lindgaard said.