Your app may be compromised: vulnerabilities rise in 2014

Secunia has announced that it discovered 15,435 vulnerabilities across 3,870 applications in 2014.

The figure represents an 18 percent increase in vulnerabilities compared to the previous year, and a 55 percent increase in the last five years.

11 percent of the vulnerabilities discovered in 2014 were rated as ‘Highly Critical’, and 0.3 percent as ‘Extremely Critical’.

The vulnerabilities were found across applications published by 500 different vendors. The five most popular browsers, Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari, showed a 42 percent increase in vulnerabilities from 2013.

The Top 50 most popular applications showed a worrying trend, with 1,348 vulnerabilities being discovered in 2014, with 64.9 percent rated as ‘Highly critical’ and 9.7 percent as ‘Extremely critical’.

Meanwhile 25 zero-day vulnerabilities were revealed in 2014, compared to 14 the year before. 20 of these were found in the 25 most popular products.

Kasper Lindgaard, Director of Research and Security at Secunia, commented: "Every year, we see an increase in the number of vulnerabilities discovered, emphasizing the need for organisations to stay on top of their environment.

"IT teams need to have complete visibility of the applications that are in use, and they need firm policies and procedures in place, in order to deal with the vulnerabilities as they are disclosed."

Encouragingly, the report revealed that 83 percent of applications that were known to security teams had a security patch available on the day the vulnerability was disclosed to the public. This represents a significant improvement since 2009, when the equivalent figure was 49.9 percent.

Lindgaard added: "But numbers also show that while an impressive 83 percent of vulnerabilities have a patch available on the day of disclosure, the number is virtually unchanged when we look 30 days ahead. 30 days on, just 84.3% have a patch available which essentially means that if it isn’t patched on the day of disclosure, chances are the vendor isn’t prioritising the issue.

"That means you need to move to plan B, and apply alternative fixes to mitigate the risk.