Three quarters of Windows security vulnerabilities in 2013 were connected to non-Microsoft programs that often lack adequate patching mechanisms, an analysis by security firm Secunia has found.
Using figures drawn from the firm’s popular Personal Software Inspector (PSI) tool, the average PC has around 75 programs installed on it, about 39 percent of which are from Microsoft.
Narrowing this down to the top 50 most popular, Microsoft’s share rises to 66 percent, leaving a large number of sometimes small vendors supplying the remaining 34 percent. This third accounted for 75.7 percent of 2013’s security vulnerabilities, actually a decrease compared to 2012 when it was 86 percent.
This means that the bulk of the patching work is spread across a multitude of small vendors rather than Microsoft alone. In Secunia’s view, this represents a major structural issue with patching, although you could also argue that it is an inherent weakness with the traditional PC as a platform for every conceivable type of software.
“Quite simply, the automation with which Microsoft security updates are made available to end users – through auto-updates, Configuration Management systems and update services ensures that it is a reasonably simple task to protect private PCs and corporate infrastructures from the vulnerabilities discovered in Microsoft products,” said Secunia CTO, Morten R. Stengaard.
“This is not so with the large number of third-party vendors, many of whom lack either the capabilities, resources or security focus to make security updates automatically and easily available,” he said.
Microsoft actually reported more vulnerabilities in 2013, up from 8.4 percent to 15.9 percent since 2012, overwhelmingly in Windows 7 and XP. Windows 8 also reported a relatively vulnerability count but this was mostly explained by flaws in the Adobe Flash plug-in inside in Internet Explorer.
Patching in the top 50 is a strong point with 86.1 percent having a patch available on the day an issue was disclosed; how long systems take to apply this patch if, of course, another matter.
The good level of patch availability is probably explained by better coordination of vulnerability disclosures, Secunia said.
As to zero day vulnerabilities, their prevalence in the top 50 programs has remained at a surprisingly low level since 2005, offering up between 6 and 13 since then. The number when measured against all software was 14 in 2013, down from a peak of 26 in 2011.