Kaspersky Lab has released the report “Evaluating the threat level of software vulnerabilities”, following careful analysis of the prevalence of security flaws found in various programs throughout 2012. Using the data from the cloud-based Kaspersky Security Network, Kaspersky Lab experts have revealed over 132 million vulnerabilities on more than 11 million computers. This figure compiles to 12 vulnerabilities per user on average. Besides, over 800 unique vulnerabilities appeared just in the year of 2012.
However, only eight vulnerabilities out of all this diversity were found in the widespread exploit packs used by cybercriminals: five in Oracle Java, two in Adobe Flash Player, and one in Adobe Reader. Still this is more than enough a “burglary tool” for abusers to steal private data from computers, conduct cyber-espionage on businesses and sabotage crucial industrial systems or government agencies.
As well as highlighting the most dangerous vulnerabilities, the Kaspersky Lab research also assesses how enthusiastically users upgrade to newer versions of software once that update has been made available. This particular analysis revealed the disturbing fact that some old – or even obsolete – versions of popular programs remain on a significant number of PCs for months and even years, posing great risks for users’ personal data and companies’ infrastructures.
In particular, research on users’ willingness to switch to newer, safer software versions revealed that six weeks after the appearance of the latest version of Java (September-October 2012), only 28.2% of users managed to switch to the safest version, with over 70% leaving their system vulnerable to Java exploits. An obsolete 2010 version of Adobe Flash Player that could easily be exploited was found on an average of 10.2% computers, with almost no decline noted throughout 2012. A vulnerability discovered in Adobe Reader in December 2011 was found on 13.5% of computers, again, with no signs of decline.
Software vulnerabilities present a clear and obvious threat to both consumers and businesses. There are ways to mitigate such risks: usage of antimalware solution and the most advanced protection technologies, such as Kaspersky Systems Management which has integrated vulnerabilities assessment technology.
Kaspersky Systems Management scans workstations for vulnerabilities in the operating system and third-party software applications, and uses the results for a follow-up analysis with Kaspersky Lab’s own unique vulnerabilities database, Secunia database and Microsoft Windows Update data services. Data about any vulnerability detected is then sent to the systems administrator, who can remotely set up the installation of necessary updates on vulnerable systems.
“What this research reveals is that releasing a fix for a security loophole shortly after discovery is not enough to make users and businesses secure. Inefficient update mechanisms have left millions of users of Java, Adobe Flash and Adobe Reader at risk. This, along with the whole series of critical vulnerabilities found in Java in 2012 and early 2013, highlights the need for the most up-to-date protection methods. Companies should take this problem very seriously, as security flaws in popular software have become the principle gateways for a successful targeted attack”, said Vyacheslav Zakorzhevsky, Vulnerability Research Expert at Kaspersky Lab.