Kaspersky Lab has released its report “Evaluating the threat level of software vulnerabilities” following analysis of the prevalence of security flaws found in various programs throughout 2012. Using data from the cloud-based Kaspersky Security Network, Kaspersky Lab examined the threat posed by software vulnerabilities. The findings of the research revealed that users of older and particularly dangerous editions of Oracle Java, Adobe Flash Player and Adobe Reader are highly reluctant to move to newer and safer versions.
The research stated that Adobe Shockwave and Flash Player, Apple iTunes/QuickTime and Java were the software package with the highest number of frequently found software vulnerabilities.
In addition to highlighting the most dangerous vulnerabilities, the research also assessed the level of enthusiasm in users when it came to upgrading to newer versions of software, once that update became available. In a worrying revelation, in fact, the report found that some old – or even obsolete – versions of popular programs remain on a significant number of PCs for months and even years.
Old software users reluctant to switch to new software
“Software vulnerabilities present a clear and obvious threat to both consumers and businesses,” it found. These vulnerabilities are used as a key “burglary tool” to steal private data from users, carry out cyber-espionage on businesses and sabotage crucial industrial systems or government agencies.
“There are different ways to mitigate such risks: from software developers’ efforts to release updates on time and enhance the overall security of their products, to the most advanced protection technologies, such as Kaspersky Lab’s Automatic Exploit Prevention,“ the report adds further.
By way of its report, Kaspersky attempted to understand the real threat posed by software vulnerabilities and study the way a user reacted to the release of a new version of a program, to fix dangerous security flaws. While the analysis focused mainly on the most dangerous software flaws, those known to be actively exploited by cybercriminals, the total number of vulnerabilities discovered in 2012 was an alarming 800 plus. Some of them, even though rarely found on users’ PCs, can be used as a gateway for a targeted attack.
Through the course of the research, Kaspersky conducted an analysis of data from more than 11 million users and revealed over 132 million vulnerabilities discovered in various programs, an average of 12 vulnerabilities per user. By the end of the research, more than 800 different vulnerabilities were discovered, of which just 37 were found on at least 10 percent of computers during at least one week of 2012. These vulnerabilities account for 70 percent of all detected software flaws.
Only eight vulnerabilities out of those 37 are found in the widespread exploit packs used by cybercriminals:
- Five vulnerabilities in Oracle Java
- Two vulnerabilities in Adobe Flash Player
- One vulnerability in Adobe Reader
Presenting figures, post research on users’ willingness to switch to newer, safer software versions, the report added that six weeks after the appearance of the latest version of Java (September-October 2012), only 28.2 percent of users managed to switch to the safest version, with over 70 percent leaving their system vulnerable to Java exploits.
It found that an obsolete 2010 version of Adobe Flash Player that could easily be exploited was found on an average of 10.2 percent computers, with almost no decline noted throughout 2012. A vulnerability discovered in Adobe Reader in December 2011 was found on 13.5 percent of computers, again, with no signs of decline.
Vyacheslav Zakorzhevsky, Vulnerability Research Expert, Kaspersky Lab, said, “What this research reveals is that releasing a fix for a security loophole shortly after discovery is not enough to make users and businesses secure. Inefficient update mechanisms have left millions of users of Java, Adobe Flash and Adobe Reader at risk. This, along with the whole series of critical vulnerabilities found in Java in 2012 and early 2013, highlights the need for the most up-to-date protection methods. Companies should take this problem very seriously, as security flaws in popular software have become the principle gateways for a successful targeted attack.”