Potsdam. In 2015 fewer software security vulnerabilities were reported worldwide than in the previous year. But at the same time the number of published vulnerabilities with a high level of severity has increased. According to an analysis performed by the German Hasso Plattner Institute (HPI), in the last twelve months alone at least 5,350 reports of software vulnerabilities have been registered or updated. In 2014 there were about 7,200 such vulnerabilities reported. The computer scientists’ overview shows that in comparison to the previous year there were more vulnerabilities with a high level of seriousness (i.e., about 2,000 in comparison to almost 1,800). There were markedly fewer indications of so-called vulnerabilities of a medium degree of severity, with about 2,800 registered in 2015. In 2014 around 4,800 were registered. There was little change in the amount of information on software vulnerabilities with minor impact.
At the same time, the HPI database for IT attack analysis (hpi-vdb.de) registered approximately 7,000 new software products and 400 new manufacturers in the course of 2015. More than 73,100 pieces of information on vulnerabilities are stored, which report on nearly 180,000 affected software programs from at least 15,500 manufacturers.
“Computer users need to remain vigilant in regard to the security situation surrounding software,” said HPI director Prof. Christoph Meinel. Every possibility should be used to update operating systems, Internet browsers, and other software applications in order to eliminate vulnerabilities, the Potsdam computer scientist said.
In the HPI database, the essential and freely available information published in the Internet on software vulnerabilities and problems is integrated and combined. The classification of vulnerabilities by criticality is based on the free, open, and heavily used industry standard CVSS (Common Vulnerability Scoring System). “We are not able to make statements about how many unknown, or as yet undiscovered vulnerabilities are hidden in a software,” said institute director Meinel.
He pointed out that all Internet users can check their browser free of charge at the website hpi-vdb.de. Using self-diagnosis, users can check their browser for detectable vulnerabilities, which are often used to the advantage of cyber criminals to carry out attacks. The HPI system detects the browser version used—including common plugins— and displays a list of known vulnerabilities. Software for the display of web content is used most frequently by hackers for attacks. The user moves through the Internet with a browser and consequently provides a starting point for attacks. HPI plans an expansion of the self-diagnosis service to other installed software.