Code Red: Software Vulnerabilities Spike In 2012


Software vulnerabilities rose 26 percent in 2012 following a five-year decline, according to a study analyzing trends in reported flaws in Microsoft, Apple, Adobe, Oracle and other major software makers.

The vulnerability trends report, issued by NSS Labs this week, analyzed flaw disclosures from 1,330 software vendors. The increase in software coding errors is being fueled in part by a shift in focus toward critical infrastructure protection and emerging software, Stefan Frei, research director at NSS Labs, told CRN.

Security researchers have been steadily analyzing the code base of a variety of information control and supervisory control and data acquisition (SCADA) systems, Frei said. While still relatively low, reported vulnerabilities in the critical management software nearly doubled from 74 to 124 from 2011 to 2012.

[Related: Universal Plug And Play Flaw Impacts Millions of Devices]

Stuxnet, a Trojan that gained notoriety for being designed as a weapon to target and disrupt Iran's nuclear centrifuge program, has driven much of the interest from hackers and researchers, Frei said. SCADA systems are designed for availability and not security, but the trending vulnerability information may force software makers to improve their software security processes, he said.

"The increasing discussion in critical infrastructure protection has probably sparked interest in finding vulnerabilities in this area," Frei said. "We're seeing a huge shift in the U.S., and the issue is becoming much more serious."

New vendors accounted for 30 percent of the total vulnerabilities disclosed in 2012. Reoccurring vendors still represented the bulk of the flaws reported, but the threat landscape shows the new vendors and emerging technologies often have flaws. As they gain popularity and a larger install base, they get increased attention from hackers and flaw researchers. "When there is increased popularity in products there is an increase in finding flaws, and that's been shown again and again," Frei said.

The increase in vulnerability disclosures is prompting some organizations to make changes. The Common Vulnerabilities and Exposures project, maintained by Mitre, was launched in 1999 to help standardize how reported flaws are tracked and shared. The organization said this year that it plans changes to its identification system to address the increasing volume of public vulnerability reports. The current format only supports 9,999 unique identifiers per year.

There is some good news in the report, Frei said. Microsoft and Adobe managed to decrease their vulnerability disclosures in 2012. Vulnerabilities reported in Adobe programs -- Flash Player, Acrobat and Reader -- decreased by 20 percent while Microsoft Office programs -- Word, Excel and PowerPoint -- saw a 40 percent reduction from 2011 to 2012.

"It's much harder to find and exploit vulnerabilities than it was five or 10 years ago," Frei said. "Microsoft has been very proactive."

Oracle Sun Java, which has had several high-profile Java zero-day vulnerabilities in recent months, saw an increase in reported vulnerabilities by 4 percent in 2012. Frei said Oracle has been increasing security, but its problem stems from it being an attractive target for cybercriminals. "Oracle is more security-aware, but [Java is] still a very open and prevalent product and that's the kind of popular software that is consistently being targeted and is gaining interest," Frei said.

Apple's rising popularity also has led to increased interest from cybercriminals and security researchers. Reported vulnerabilities in Apple iTunes and its ubiquitous Quicktime Player increased by 30 percent. Meanwhile, operating system reported flaws in Mac OSx and Microsoft Windows continued their decline. Apple is known for sharing little public information about how it addresses software security, Frei said.

PUBLISHED FEB. 6, 2013