Zero-day vulnerability count up by, er, zero in 2015
Mind the app, says Secunia as bug count remains stable
The number of zero-day vulnerabilities last year was the same as in 2014, according to a new study by vulnerability management outfit Secunia.
Last year Secunia Research at Flexera Software recorded a total of 16,081 vulnerabilities in 2,484 products from 263 vendors. The big majority (84 per cent) of vulnerabilities in all products last year had patches available on the day of disclosure.
That's 2,573 vulnerabilities that didn't have patches at the time the bug became known. Secunia only counts any of these as a 0-day vulnerability in those cases where an exploit is available. “It only counts as a 0-day when it has been exploited in the wild before the vulnerability became publicly known,” a spokesman explained.
A total of 25 zero-day vulnerabilities were discovered in total in 2015, the same number as the year before, according to Secunia’s count.
Secunia rated 13.3 per cent of the 16,081 vulnerabilities discovered in 2015 as "Highly Critical", and 0.5 per cent as "Extremely Critical".
A total of 1,114 vulnerabilities were discovered in the five most popular browsers: Google Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari last year, a small four per cent increase from 2014.
The split between vulnerabilities in Microsoft and non-Microsoft products in the 50 most popular applications on private Windows PCs came in at 21 per cent versus 79 per cent last year - repeating the long term trend of third-party app vulnerabilities rather than any software developed in Redmond being the biggest single cause of security bugs on Windows PCs.
Vulnerabilities are the root cause of many security issues because they can be exploited as an entry point for hackers and malware-based attacks.
There are more details in Flextra/Secunia’s Vulnerability Review 2016 study here (registration required). ®