A new report from IBM’s X-Force security research unit suggests that even as more security flaws are being reported in software, vendors appear to be fixing fewer of them.
The X-Force report found that while vulnerability disclosures are up, the percentage of known security flaws that haven’t been fixed by software vendors has also risen. And IBM doesn’t shy away from naming names, with some well-known software makers at the top of the list of vendors who haven’t patched known vulnerabilities. eSecurity Planet takes a look at the worrying implications for enterprise IT managers and end users.
“Over half, 55 percent, of all these disclosed vulnerabilities had no vendor-supplied patch at the end of the period,” the report said. That’s compared to 52 percent of known vulnerabilities lacking a vendor-supplied patch by the middle of 2009.
In particular, IBM said Sun Microsystems (now owned by Oracle), Microsoft and Firefox browser vendor Mozilla were among the top software vendors who haven’t released patches to fix known vulnerabilities.