August 25, 2010

An alarming trend for end-user security

Secunia has just released the first Secunia Half Year Security Report 2010, where I elaborate on the evolution of the security threat posed by vulnerabilities, and provide projections for the 2010 vulnerability levels. With this report we continue to publish results from my research into the threats typical end-users face when surfing the Internet.

Earlier this year, in the RSA 2010 paper The Security Exposure of Software Portfolios, we discovered that overall 50% of the users are found have more than 66 programs from more than 22 different vendors installed. To elaborate on this research I built a representative portfolio of the Top-50 most prevalent programs found on the average end-user PC, and examined the evolution and origin of the vulnerabilities affecting this portfolio since 2005.

We found an alarming trend:
In the two years from 2007 to 2009 the number of vulnerabilities affecting a typical end-user PC almost doubled to 420, and based on the data of the first six months of 2010 the number is expected to almost double again in 2010. In other words, during the first 6 months of 2010 Secunia published 380 vulnerabilities affecting the typical end-user PC, or 89% of the figures for the entire 2009.
A breakdown of these vulnerabilities into contributions from (A) the Operating System, (B) Microsoft programs, and (C) from 3rd party (non-Microsoft) programs reveals that this trend is almost exclusively due to vulnerabilities in 3rd party programs:

In 2009 a typical end-user PC with 50 programs had 3.5 times more vulnerabilities in the 24 3rd party programs installed than in the 26 Microsoft programs installed.

Considering the overall results of our research and findings, we expect an increase of this ratio to 4.4 for the year 2010.

It is safe to assume that a large part of the users, focusing primarily on updating their Microsoft OS and programs, succumb on the enormous task and complexity of frequently patching all their 3rd party programs. However, by neglecting the risk of ubiquitous 3rd party programs, users risk being compromised by cyber-criminals every day, despite the deployment of other security measures.

I hope this report contributes to raising awareness on the origin of the threats, and spurs further discussion on how to deal with the issue of 3rd party program risks.