Half of them are moderately criticalAccording to vulnerability research company Secunia, the number of vulnerabilities is expected to double in 2010 compared to last year. Apple leads in number of vulnerabilities, Mozilla has the fewest, while Adobe registered the steepest climb.
Secunia's half year report for 2010 (PDF) reveals that the number of vulnerabilities reported in the first six month of this year represents ninety percent of the one registered for the entire 2009. Based on this trend, the Danish vulnerability intelligence vendor estimates that by the end of the year, that number will almost double to reach 760 vulnerabilities.
The company data also reveals that since 2005 forward a group of ten vendors comprised of Apple, Oracle, Microsoft, HP, Adobe, IBM, VMware, Cisco, Google and Mozilla, have been responsible for almost 38% of the total number of vulnerabilities reported each time. The order in that enumeration is also the order determined by Secunia based on number of vulnerabilities.
Apple, which since 2007 has been on the number two position in this top, has overtaken Oracle for the first place sometime in mid-2009. The data since then shows that the company is still on a growing trend as far as the number of vulnerabilities found in its products is concerned. Surprisingly, despite the infusion of new software like MySQL or Java, that came from acquiring Sun, Oracle's overall number of bugs has been decreasing constantly from the start of 2009.
When it comes to surprising changes in positions, Adobe certainly fits the profile, registering the most abrupt rise in number of vulnerabilities from the ten vendors. The company jumped from the 7th place at the start of 2009 to the 5th at the time when this report was compiled. Mozilla is at the opposite end, having dropped four positions during the same period of time, from 6th to last.
As far as severity goes, the biggest percentage of vulnerabilities, over 40%, were moderately critical. Around 15% were highly critical, while 33% were less critical. When it comes down to impact, so far in 2010 the number of vulnerabilities that result in cross-site scripting conditions is equal to that of the ones that allow unauthorized system access.
And there's no doubt about it, hackers prefer vulnerabilities that can be exploited from remote locations, because this can allow for mass attacks. According to Secunia, over 80% of vulnerabilities discovered this year were remotely exploitable.
“The overall conclusion is that despite considerable security investments, the software industry at large still proves unable to produce software with substantially less vulnerabilities, highlighting the continued need for Vulnerability Intelligence and Patch Management,” Secunia's Founder and CEO Niels Henrik Rasmussen, said.
You can follow the editor on Twitter @lconstantin