Zero-day vulnerabilities on the rise in 2015

Danish security company Secunia is using the Black Hat conference to reveal an early look at the vulnerability trends to date for 2015.

One of the main findings is that 15 zero-day vulnerabilites have been discovered so far in 2015, making it likely that the total for the year will exceed the 25 discovered in 2014. The 2015 zero-days were all discovered in popular Adobe and Microsoft products widely in use across both personal and professional IT systems.

"The increasing number of zero-days is not a surprise," says Kasper Lindgaard, Director of Research and Security at Secunia. "It would be more of a concern if the number dropped, because that would mean that the zero-days we can be sure are out there were going undetected - after all, Hacking Team, the Italian company reported to be selling a product utilising bought zero-days to governments and corporations, is not the only company of its kind out there".

The total number of vulnerabilities discovered from 1 January to 31 July at 9,225 is on a par with the 9,560 discovered over the same period last year. However, Secunia's preliminary findings do indicate a shift in how critical they are. A slightly higher share of the vulnerabilities discovered are rated as 'extremely critical' (from 0.3 per cent to 0.5 per cent) and 'highly critical' (from 11.1 per cent to 12.7 per cent) while there is a drop in the 'moderately critical' category (from 28.2 per cent to 23.7 per cent).

The company has also looked at vulnerabilities for mobile operating systems and discovered around 80 vulnerabilities in iOS, and approximately 10 in Android. Lindgaard says, "The fact that fewer vulnerabilities are discovered in Android should under no circumstances be misinterpreted to imply that Android OS is more secure than iOS. The trouble with a vulnerability in Android OS is that Google, the vendor behind the operating system, has no control of its patch status on majority of the devices that run it, because those devices are produced and maintained by third-party vendors.

"The 'Stagefright' vulnerabilities discovered by Zimperium, which was disclosed last week, is a perfect example of the problem: Google has acted quickly and issued a patch, but from there on it’s up to phone vendors - Samsung, HTC, Sony, etc. - to push the patch live to the users. In comparison, Apple can issue patches and push updates directly to all devices running iOS - a much more controlled process".

Secunia also points out that since Heartbleed brought OpenSSL vulnerabilities to public notice there have been five distinct waves of OpenSSL vulnerabilites.

Lindgaard points out that, "Because OpenSSL comes bundled in many third-party products, customers are not necessarily aware that they have it in their inventory, and so cannot take appropriate action".

You can find more information about the company's findings on the Secunia website.

Image credit: fotogestoeber / Shutterstock