Google Chrome, Mozilla Firefox, and Apple iTunes were the most vulnerable among popular software programs in 2012, according to the newly released 2013 Secunia Vulnerability Review (PDF). That may come as a surprise to anyone who accuses Microsoft of rolling out the most insecure software on the market. Then again, 29 of the 50 most popular programs with the most vulnerabilities bore the Microsoft logo.
The report highlighted the increasing threats posed by vulnerabilities in popular non-Microsoft programs. Over the past five years, their share has increased from 57 percent to 86 percent. "The significance of this number is that it has become more difficult for end users and administrators to keep their systems secure: If end users and organizations focus on patching their Microsoft programs and operating systems, they only protect their computer and IT infrastructure from 14 percent of the threats posed by vulnerabilities," the report cautioned.
All told, Secunia detected 9,776 vulnerabilities among 2,503 products from 421 vendors, representing a 15 percent increase in overall vulnerabilities over the past five years. In that same period, the number of vulnerabilities discovered in the 50 most popular PC programs increased by 98 percent.
Among the 18 most common non-Microsoft products, Secunia counted 291 vulnerabilities in Chrome, 257 in Firefox, and 243 in iTunes. Adobe Flash Player accounted for 67 vulnerabilities, Oracle Java JRE SE had 66, and Adobe AIR suffered 56. Adobe Reader and Apple QuickTime also made the list with 43 and 29 vulnerabilities respectively.
As for Microsoft products, Windows 7 proved most vulnerable with 50. Internet Explorer had 41, and the .Net Framework had 14. Excel had 10, Visio Viewer had seven, Silverlight had five, Word had three, and Microsoft MSXML had one.
The reported noted that Windows 7 saw a dramatic increase in vulnerabilities between 2010 and 2011, reaching 102. In 2012, it's back down to 2009 levels. Secunia says the increase was "a result of the work of one security researcher, who decided to dig into one specific component, win32k.sys. By doing so, he discovered 22 vulnerabilities in 2010 and 59 vulnerabilities in 2011 in the program, where in the year before -- 2009 -- only four had been discovered."
Most of the vulnerabilities detected in the top 50 most popular programs were rated either Highly Critical (78.8 percent) or Extremely Critical (5.3 percent), according to the report. Only eight of the top 50 were zero-day vulnerabilities, compared with 12 in 2010 and 14 in 2011. "These numbers are good news," the report says. "They indicate that researchers and software vendors are good at coordinating their efforts, discovering vulnerabilities, and issuing patches and workarounds for them before they are discovered by hackers."
While overall vulnerabilities have increased, the number of vendors and products has continually decreased as vendors buy one another up and merge products. "The amount of code developed to deliver the functionalities of the offerings, however, is the same -- and that is where the vulnerabilities reside," according to the report.
As to how bad guys exploit vulnerabilities, the vast majority -- 91 percent in all -- were carried out via a remote network. Just 7 percent of attacks were initiated directly on a user system, and 2 percent were launched on a local network.
Vendors are better at rolling out patches in a timely manner as well: 84 percent of vulnerabilities for the most popular programs had patches available on the day of disclosure in 2012, up from 72 percent in 2011. The report says that "the most likely explanation for this improvement in time-to-patch is that more researchers coordinate their vulnerability reports with vendors, which means that patches are available immediately."
"This means that it is possible to remediate the majority of vulnerabilities. There is no excuse for not patching. To take advantage of this improvement in patch availability, organizations must know which programs are present on their systems and which of these programs are insecure, and then take an intelligent and prioritized approach to remediating them," said Morten R. Stengaard, Secunia's director of product management.
This story, "Google, Mozilla, and Apple made the most vulnerable software of 2012," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.