Significant flaws in Microsoft Operating Systems and programs are becoming a smaller portion of the total. Secunia reports that 86 percent of active vulnerabilities in 2012 affected third-party products such as Java, Flash and Adobe Reader. In 2007, third-party vulnerabilities made up less than 60 percent of the total.
On the plus side, the dangerous window between discovery of a vulnerability and creation of a patch is getting smaller. Secunia reports same-day patch availability for 80 percent of these threats in 2012, up from a bit over 60 percent in 2007.
It is not surprising to learn that the total number of known vulnerabilities continues to grow year after year, or that most rely on a remote network attack to penetrate vulnerable networks.
The 2013 review reports on vulnerabilities in SCADA (Supervisory Control And Data Acquisition) systems. These systems control factories, power plants, nuclear reactors, and other highly significant industrial installations. The infamous Stuxnet worm destroyed uranium enrichment centrifuges in Iran by taking over their SCADA controllers.
According to Secunia, "SCADA software today is at the stage mainstream software was 10 years ago... Many vulnerabilities remain unpatched for longer than one month in SCADA software." A time-to-patch chart of representative SCADA vulnerabilities reveals that several in the high risk category remained unpatched for over 90 days.
In theory, SCADA systems should be less vulnerable because they're not connected to the Internet. In practice, that's not always the case, and even a local network connection could be compromised by attackers. A total "air gap," with no network connection whatsoever, didn't protect the Stuxnet centrifuges. They fell victim to infected USB drives unknowingly inserted by technicians. Clearly SCADA software vendors have some work to do as far as maintaining security and pushing out patches.
Hackers Go for the Zero-Day Gold
A zero-day vulnerability is one that's just been discovered, a vulnerability for which no patch exists. Secunia's report includes an informative chart that reports the number of zero-days found each year in the top 25 most popular programs, and in the top 50, 100, 200, and 400. The overall numbers differ year over year, peaking in 2011 with 15 zero-days.
What's more interesting is that within a given year, the numbers hardly change as the pool of potentially-compromised programs grows. Almost all of the zero-days affect the most popular programs. That actually makes a lot of sense. Discovering a program flaw that nobody else has ever found requires a lot of research and hard work. It only makes sense for hackers to concentrate on the most widely-distributed programs. An exploit that takes total control over the victim's system isn't worth a lot if only one system in a million has the vulnerable program installed.