Sun is the king of unpatched software vulnerabilities followed closely by Microsoft and Mozilla, according to the mid-year security report by IBM's X-Force.
Industry wide, on average 55 percent of software vulnerabilities that were disclosed by vendors went unpatched by those vendors, the IBM study says. That number crept up from last year's average of 52 percent.
The study lists the 10 vendors with the most disclosed vulnerabilities in the first half of 2010 and ranks them according to what percentage they leave unpatched. The ranking and the percentages are: Sun, 24 percent; Microsoft, 23.2 percent; Mozilla, 21.3 percent; Apple, 12.9 percent; IBM, 10.3 percent; Google, 8.6 percent; Linux, 8.2 percent; Oracle, 6.8 percent; Cisco, 6 percent; Adobe, 2.9 percent.
But the unpatched percentage for those companies that disclosed the most vulnerabilities seems to have spiked. Last year Microsoft was No. 1 in the percentage of unpatched vulnerabilities at 15.8 percent for the whole year. This year's leader so far, Sun, weighs in at 24 percent for the first half, the report says.
The report notes that numbers for the entire 2010 calendar year may result in a smaller increase. "Time will tell," it says. Web application vulnerabilities account for more than half of all vulnerabilities, the report says.
Challenges facing vendors have also increased, making patching more difficult. They are dealing with a 36 percent increase in the number of vulnerabilities vs. those reported for the first half of 2009, the report says. That's a jump from 12,211 to 16,607 vulnerabilities.
Perhaps more worrisome is that the number of actual exploits has been increasing each year and the jump from 2009 to 2010 is trending toward being about 60 percent this year, the study says.
The report also says that as of June, spam is at an all time high, although it didn't quantify that. Phishing is relatively low on a par with last year but is poised to take an enormous spike in August, September and October if it follows trends established in 2008 an 2009.
In an update on Conficker, IBM says that an update allows the botnet code to update based on encrypted peer-to-peer connections, making it impossible to block domains as a means to block updates. The new variant called Conficker.C lacked propagation code, so it could not be further spread by machines that became infected, IBM says.
Read more about wide area networks in Network World's Wide Area Network section.
This story, "Sun, Microsoft, and Mozilla leave the most vulnerabilities unpatched" was originally published by Network World.