2014 was the year of the breach. Ensuring software was up to date became a core focus for companies in 2015 as the IT Industry returned to basics to shore up attack surface across their environments. The vendors they rely on seem to be only reacting, if CVE-Details statistics are any indication.
No. 1 goes to Apple, who finished 2015 with 654 vulnerabilities. Mac OS X contributed 384 of those vulnerabilities (placing it at No. 1 for vulnerabilities by product), which tripled the 2014 count of 130 vulnerabilities and moved them from No. 5 in 2014 to No. 1. Mac OS X is gaining in popularity, but so is OS X-related malware. The recent attention has Apple delving into parts of its OS that have not received much attention until now. The Safari browser (No. 19 in vulnerabilities by product) is another significant contributor to this count with 135 CVEs resolved in 2015.
No. 2 goes to Microsoft, who has long held the OS market and has built out browsers, media players and the Office suite of products. Similar to Apple, the increase of CVEs is, in part, due to the fact that the company is focused on hardening shared components and products that previously were not being targeted. Microsoft finished 2015 with 135 security bulletins released with a total of 571 vulnerabilities resolved. This is the highest bulletin and vulnerability count ever released by Microsoft. Internet Explorer contributed 231 vulnerabilities placing it in the No. 4 spot for vulnerabilities by product last year. Microsoft systems contributed around 150 distinct vulnerabilities and Office had 40 additional vulnerabilities.
Cisco came in third last year with a new all-time high of 480 vulnerabilities resolved. This tops its previous 2013 high by around only 50 vulnerabilities. Cisco did have an influx of CVEs resolved last year and a new all-time high, but the increase was not nearly as large as Apple, Microsoft or Adobe’s. Cisco’s proprietary OS and a huge list of products are the likely contributing factors to get them into the No. 3 spot.
Oracle is in the No. 4 spot reporting 479 vulnerabilities and is actually trending down from its record 496 CVEs in 2013 and the only vendor in the top five that didn’t set new records in 2015. Java has been a high-profile target due to its popularity and availability worldwide, but more importantly due to the fact that companies neglect to update Java because it could break proprietary applications. For many years there were so many Zero-Days on Java that a site was created to track how many days since the last Java Zero Day. Oracle went through some changes in the past few years and its security practice seems to be paying off. It reached 723 days without a Zero Day until CVE-2015-2590 hit earlier last year and its total CVE count (80) is trending down from the 2013 peak of 180 CVEs resolved.
Adobe finished the year in fifth place (up from No. 8) with 440 vulnerabilities resolved. This is a new all-time high and more than double the 2010 record of 207 vulnerabilities. Adobe had the most significant increase for the top five vendors, with more than three times the increase in CVEs resolved. Nearly 300 of those vulnerabilities resolved were in Adobe Flash Player (No. 3 on top 50 vulnerable products list). Adobe Flash Player has gained the same popularity that caused Java to become a target. Last year Adobe faced a staggering eight Zero-Day vulnerabilities. Early in the year three Zero-Days were reported in a two-week span. The Hacking Team breach uncovered a few more mid year and it did not stop there.
Though not in the top five, Google and Mozilla were in the top 10 and the majority of vulnerabilities were from the browsers themselves. Google Chrome with 185 of their total 321 CVEs falls in at No. 8 for products and puts Google at No. 6 on the vendors list. Mozilla Firefox with 177 of their 188 CVEs falls in at No. 9 for products and No.8 on the vendors list.
Threat actors are better organised, better funded and have more tools than ever before. Exploit kits are a competitive product in today’s dark web hacking services markets and the number of products and increase in features they provide coincide with the drastic increase in breaches we have seen since 2012.
The exploit gap is also shrinking. According to the Verizon 2015 Breach Report, 50 per cent of vulnerabilities that will be exploited are exploited in two to four weeks of release of an update from the vendor. Though quick turnaround is key, one of the contributors to the Verizon Breach Report, Kenna Security, released an additional report discussing how many enterprises struggle to release updates within 120 days. In fact, 99.9 per cent of vulnerabilities exploited in 2014 were exploited more than a year after an update was made available to resolve them.