Secunia just released its 2013 Q3 vulnerability report for the United States. I'm a big fan of Secunia and the data it's collected in the fight against badness. As I said last week, it's a lot better to use solid data rather than vendor suggestions to drive your security strategy.
Along with a few other sources (including Kaspersky Lab and Microsoft's Security Intelligence Reports), Secunia has helped me realize that unpatched software is to blame for the majority of successful exploits. According to Kaspersky, Oracle Java and Adobe Acrobat accounted for more than three-fourths of all successful exploits last year. Got that? Then you should have your marching orders: Patch two programs and you'll remove the bulk of the risk in your organization.
Most reports back Kaspersky's conclusion and note that socially engineered Trojans account for almost all the remaining risk. That means the remaining 1 percent of successful exploitations is caused by another agent.
That's huge. It means that all your efforts to implement smart cards, stronger passwords, code review processes, secure networking channels -- everything else -- reduces security risk by a mere 1 percent. You're far better off concentrating on improved patching and preventing end-users from installing programs they shouldn't.
Finding the real threats in the numbers
It's with this realization in mind that I couldn't wait to review Secunia's latest vulnerability analysis. Here are some of the key points:
- Nearly 15 percent of PCs users have an unpatched OS.
- The average PC has 10 percent unpatched programs.
- The typical PC has 25 mechanisms to update the software on it.
Perhaps the most interesting statistics was the list of the top 10 unpatched programs. It was led by Microsoft XML Core Services and Apple QuickTime. In fact, Oracle Java came in fifth. Per Secunia:
In the US, 79% of PC users who use Secunia PSI had Microsoft XML Core Services installed in Q3 2013. 50% of these users had not patched the program, even though a patch is available. This means that an estimated 39.5% of US PCs are made vulnerable by MSXML 4.
What's up, you ask? Didn't you say Java was the No. 1 problem?
It was and still is. There's a big difference between the most common unpatched programs and the most common successfully exploited programs. Such is the case here. Understanding the difference is important.
Yes, you need to be worried about the number of attacks and the number of vulnerable programs -- but you also need to be aware of how computers are successfully exploited. For example, any active firewall records millions of unauthorized probes. But if the firewall is doing its job, why worry about it? You can't spend all your time researching and tracking an unauthorized probe. Just be glad your firewall is working.
Treat every threat that way. Focus on the most successful exploits, not the most common threats. That's what counts. Everything else is noise.