dissecting the 2013 vulnerability landscape
DESCRIPTION
Every year Secunia releases a review of the vulnerability landscape, based on its vulnerability research and data from its Personal Software Inspector (PSI) user base. The data in this research helps security professionals around the globe make sense of the evolution of the threat landscape and the trends throughout the year. In this webinar, Secunia’s CTO, Morten Stengaard and Head of Research, Kasper Lindgaard, will interpret the data presented in the Secunia Vulnerability Review 2014 and answer questions. The review will be released on 26th February at 20:00 CET. Before 26th February, you can pre-register to receive a copy of the review as soon as it is released, at: http://secunia.com/resources/reports/vr2014/ Key takeaways: -The number of vulnerabilities and zero-days detected in 2013 -The security state of browsers and PDF readers -How quick vendors are to respond to vulnerabilities -Which programs are more vulnerableTRANSCRIPT
2014 Secunia Presentation 1
Dissecting the 2013 Vulnerability Landscape
The annual analysis of the evolution of software security
2014 Secunia Presentation 2
Who is Secunia?
What is the Vulnerability Review?
Methodology
Vulnerabilities discovered in 2013 – at a glance
Vulnerabilities discovered in 2013 – a closer look
Key takeaways
Q&A
Secunia Vulnerability Review 2014The highlights
2014 Secunia Presentation 3
Introduction
2014 Secunia Presentation 4
Who is Secunia?We are all about vulnerabilities
Secunia originally started out as a Vulnerability Research outfit with a core ethos of providing customers with trustworthy vulnerability intelligence.
Research has always been the heart and soul of Secunia and, over time, the unit organically evolved to drive the development of other complementary initiatives: remediation tools for the identification and elimination of vulnerabilities.
The research conducted by Secunia since 2002 has enabled us to build one of the largest vulnerability databases in the industry and has given us a solid view of the ever-changing vulnerability landscape. This knowledge is the foundation of the annual Secunia Vulnerability Review.
2014 Secunia Presentation 5
The annual Secunia Vulnerability Review presents global data on vulnerabilities and the availability of patches, and correlates this information with the market share of programs to map the security threats to IT infrastructures.
What is the Vulnerability Review?Analysis of the evolution of software security from a global endpoint perspective
2014 Secunia Presentation 6
Secunia methodology
2014 Secunia Presentation 7
To assess how exposed endpoints are, Secunia analyzes the types of products typically found on an endpoint.
Methodology
The Portfolios: “All” and “Top 50”
Top 50 PortfolioProduct composition, Top 50 portfolio (the 50 most common programs found on a typical PC):
Microsoft programs: Represent on average 66% of the programs on a computer with the PSI installed. Third-party programs: Software from all other vendors – represents 34% of the programs on a computer with the PSI installed. Operating Systems: We track vulnerabilities in the most prevalent operating system, Windows 7.
All ProductsProduct composition, PSI computer (typical private PC with the PSI and, on average, 75 programs installed on it):
Microsoft programs: Represent on average 39% of the programs on a computer with the PSI installed. Third-party programs: Software from all other vendors – represents 61% of the programs on a computer with the PSI installed. Operating Systems: We track vulnerabilities in Windows operating systems: Windows XP, Windows Vista, Windows 7 and Windows 8.
2014 Secunia Presentation 8
Secunia uses the following metrics to count vulnerabilities in software:
Secunia Advisory The number of Secunia Advisories published in a given period of time is a first order approximation of the number of security events in that period. Security events stand for the number of administrative actions required to keep the specific product secure throughout a given period of time.
Methodology
Vulnerability Tracking
Secunia Vulnerability Count A vulnerability count is added to each Secunia Advisory to indicate the number of vulnerabilities covered by the Secunia Advisory. Using this count for statistical purposes is more accurate than counting CVE identifiers. Using vulnerability counts is, however, also not ideal as this is assigned per advisory. This means that one advisory may cover multiple products, but multiple advisories may also cover the same vulnerabilities in the same code-base shared across different programs and even different vendors.
2014 Secunia Presentation 9
Methodology
Vulnerability Tracking (Continued)
Common Vulnerabilities and Exposures (CVE)
Common Vulnerabilities and Exposures (CVE) is a dictionary of publicly known information security vulnerabilities and exposures. CVE has become a de facto industry standard used to uniquely identify vulnerabilities which have achieved wide acceptance in the security industry. Using CVEs as vulnerability identifiers allows correlating information about vulnerabilities between different security products and services. CVE information is assigned in Secunia Advisories.
The intention of CVE identifiers is, however, not to provide reliable vulnerability counts, but is instead a very useful, unique identifier for identifying one or more vulnerabilities and correlating them between different sources. The problem in using CVE identifiers for counting vulnerabilities is that CVE abstraction rules may merge vulnerabilities of the same type in the same product versions into a single CVE, resulting in one CVE sometimes covering multiple vulnerabilities. This may result in lower vulnerability counts than expected when basing statistics on the CVE identifiers.
2014 Secunia Presentation 10
Local System Local system describes vulnerabilities where the attacker is required to be a local user on the system to trigger the vulnerability.
From Local Network From local network describes vulnerabilities where the attacker is required to be situated on the same network as a vulnerable system (not necessarily a LAN). This category covers vulnerabilities in certain services (e.g. DHCP, RPC, administrative services) that should not be accessible from the Internet, but only from a local network or optionally from a restricted set of external systems.
From Remote From remote describes other vulnerabilities where the attacker is not required to have access to the system or a local network in order to exploit the vulnerability. This category covers services that are acceptable to be exposed and reachable to the Internet (e.g. HTTP, HTTPS, SMTP). It also covers client applications used on the Internet and certain vulnerabilities where it is reasonable to assume that a security conscious user can be tricked into performing certain actions.
Methodology
Attack Vector
2014 Secunia Presentation 11
Extremely Critical Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild. These vulnerabilities can exist in services like FTP, HTTP, and SMTP or in certain client systems like email programs or browsers.
Highly Critical Typically used for remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction but there are no known exploits available at the time of disclosure. Such vulnerabilities can exist in services like FTP, HTTP, and SMTP or in client systems like email programs or browsers.
Methodology
Secunia’s Vulnerability Criticality Classification
2014 Secunia Presentation 12
Moderately CriticalThis rating is also used for vulnerabilities allowing system compromise on LANs in services like SMB, RPC, NFS, LPD and similar services that are not intended for use over the Internet. Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities that allow system compromises but require user interaction.
Less Critical Typically used for cross-site scripting vulnerabilities and privilege escalation vulnerabilities. This rating is also used for vulnerabilities allowing exposure of sensitive data to local users.
Not Critical Typically used for very limited privilege escalation vulnerabilities and locally exploitable Denial of Service vulnerabilities. This rating is also used for non-sensitive system information disclosure vulnerabilities (e.g. remote disclosure of installation path of applications).
Methodology
Secunia’s Vulnerability Criticality Classification (Cont.)
2014 Secunia Presentation 13
Vulnerabilities
discovered in 2013 –
at a glance
2014 Secunia Presentation 14
13,073 vulnerabilities were discovered in 2,289 vulnerable products.
Vulnerabilities in All Products in 2013: 13,073A 45% increase in vulnerabilities (5 year trend)
Source: “Secunia Vulnerability Review 2014.” https://secunia.com/vulnerability-review/
2013 Secunia Presentation
SecuniaMikado House, Rued Langgaards Vej 8, 4th
floorDK-2300 Copenhagen S
Denmark
Phone: +45 7020 5144Fax: +45 7020 5145
Secunia Inc.Lake Calhoun Business Center, Suite 420
3033 Excelsior BoulevardMinneapolis, MN 55416
USAPhone: +1 888 924 8265
Fax: +1 888 924 8266
Watch the entire webinar here:
Dissecting the 2013 Vulnerability Landscape