Zero-day vulnerabilities on the rise, says Secunia

Hundreds of security holes uncovered in major vendors' IT infrastructure products
Tools

LAS VEGAS -- Fifteen zero-day vulnerabilities have been discovered so far in 2015, all of them in Adobe and Microsoft products, according to a report released by security firm Secunia on Thursday at Black Hat.

Secunia expects the total number of zero-day holes this year to exceed the 25 discovered in 2014.

Zero-day vulnerabilities are particularly dangerous for IT security folks because there is often a lag between when the vulnerability is discovered and when a patch is ready, leaving time for an attacker to exploit the hole.

The total number of vulnerabilities, zero-day or otherwise, discovered by Secunia totaled 9,225 for the first half of 2015, and those were more severe on average than 9,560 discovered over the same period in 2014.

In terms of mobile vulnerabilities, surprisingly iOS had far more vulnerabilities than Android, which is bad news for companies looking to iOS as a more secure mobile option. Secunia uncovered 80 vulnerabilities in iOS to Android's 10 vulnerabilities.

But it is not all good news for Android users. "The trouble with a vulnerability in Android OS is that Google, the vendor behind the operating system, has no control of its patch status on majority of the devices that run it, because those devices are produced and maintained by third-party vendors," explained Kasper Lindgaard, director of research and security at Secunia.

"The 'Stagefright' vulnerabilities discovered by Zimperium, which was disclosed last week, is a perfect example of the problem: Google has acted quickly and issued a patch, but from there on it's up to phone vendors – Samsung, HTC, Sony, etc. – to push the patch live to the users. In comparison, Apple can issue patches and push updates directly to all devices running iOS – a much more controlled process," Lindgaard added.

Secunia also discovered hundreds of vulnerabilities in core IT infrastructure products made by IBM, Citrix, Hitachi, HP, Juniper, Oracle and VMware.

"While there is certainly 'repeat business' every month, the corporate environment contains a wide variety of products, used in all manner of business contexts, with code that is just as flawed as any other code. This means that what you patched to stay secure last month will do your security very little good next month. It is an extremely complicated task to keep your corporate environment fully patched at all times," Lindgaard cautioned.

Related Articles:
Close to 1B Android devices vulnerable to devastating text-based attack, warns Zimperium
New privilege-escalation flaw in OS X already actively exploited
Disturbing glimpse into the connected car's future