In its ‘Vulnerability Update‘ report for August, September & October, 2014 software security company Secunia calculated software vulnerabilities in OpenSSL, Google Chrome and IBM to have grown by 40% in comparison to last year.
The company has found 1,841 vulnerabilities in 20 of the weakest programs, including critical errors and vector attacks. Many of them had patches available for these errors fix, but many of them did not actually.
IBM is the seller with weakest products programs, being in top 20 in August, September and October this year. This is due to the fact that it also sells other companies’ products though, like Java and OpenSSL). Google Chrome is the weakest browser as a product of its own.
OpenSSL’s defects are quite many in comparison as well, as presented in the report ‘…and with the hype gone, less than 20 vendors took the time to disclose and patch some 50 products. 100 days in, the number of affected products is at 75. Consequently, not only are there products that are vulnerable and unpatched because of ‘OpenSSL Take 3′, but they are also undisclosed. And that is really bad!’
Secunia’s conclusion on the report for these three companies is that if a researcher finds vulnerability, gives it funny name and some publicity all companies are in a hurry to discover it and release a fix. No publicity, on the other hand, means hidden issues with no fix that speaks clearly for companies’ security engagement as a whole.
As proof, the company states that 100 vendors issued fixes for more than 600 products within 40 days when Heartbleed bug was discovered. No more than 20 vendors released fixes for about 50 threatened products few months later when “OpenSSL#3” was found.