85% of commercial software apps have ‘critical’ vulnerabilities, study finds

All the sessions from Transform 2021 are available on-demand now. Watch now.

Nearly every enterprise taps commercial software to run day-to-day operations, from meeting and file-sharing to email and messaging applications. But what’s inside those apps — and how secure they really are — isn’t always clear. A new report from Osterman Research finds that concerning vulnerabilities are prevalent across common software products, resulting from the inclusion of open source components that frequently go unnoticed or undisclosed.

According to the investigation, 100% of commercial off-the-shelf applications tested contained open source components with security vulnerabilities. What’s worse, at least 85% had at least one vulnerability the firm considered “critical.” Many such vulnerabilities are known, according to the report, but the lack of awareness around their use in commercially available software “increases the security risk, attack surface, and potential for compromise by cybercriminals.”

Michael Sampson, senior analyst for Osterman Research, told VentureBeat he was surprised to discover how common it is for commercial software to include vulnerabilities that rank as high or critical on the scoring system used in the research. “It’s alarming that vendors would intentionally release code that exposes their customers to compromise,” he said.

Meeting and email apps are most vulnerable 

The research was focused on five software categories: web browsers, email, messaging, file-sharing, and online meeting clients. GrammaTech sponsored the study, and Osterman tapped its CodeSentry product to look for the presence of open source components in the binary packaging of widely used software applications. The report doesn’t describe how vulnerable specific software products are, but rather dives into the security of open source components and the categories as a whole.

Overall, the research revealed that meeting and email clients are the most vulnerable. The meetings category as a whole had the highest weight value of vulnerabilities, which is a particular cause for concern since video conferencing tools remain a primary way to connect as the pandemic continues to impact the world. The finding also follows recent news around Zoom, which has almost 60 open source components in its platform and just agreed to pay $85 million to settle a lawsuit over user privacy and hackers “Zoombombing.”

In the email category — as well as the messaging category — every application tested contained at least one open source component with a critical vulnerability that scored a 10 in the study, which represents the highest level of vulnerability. But even the report acknowledges this specific number doesn’t hold much weight — but only because of the “near-ubiquitous usage of open source components that contain a critical vulnerability.” The report continues: “This does not change the fact, however, that all applications analyzed present serious risk to an organization due to the widespread presence of critical vulnerabilities.”

Look out for Firefox components 

One of the most glaring findings in the report is regarding not just what applications are vulnerable, but which open source components are to blame. According to the research, two versions of the Firefox open source component (not the browser itself) contributed 75.8% of the critical vulnerabilities discovered. Sampson said these two components make a “significant contribution to the overall vulnerability heat.”

For comparison purposes, the frequency weighting for the Firefox open source components was 75.8 while OpenSSL, which ranked second in terms of responsibility for vulnerabilities, had a frequency weighting of only 9.6.

The good news is that Sampson said newer versions of the Firefox component featured fewer vulnerabilities. To reduce the compromise exposure they’re creating for customers, he said any vendor relying on that component should update their code to newer and less vulnerable versions of the Firefox component.

Enterprises obviously don’t have control over what’s under the hood. But awareness and the ability to assess software for vulnerabilities are good first steps toward protecting themselves, according to Sampson. He also recommends enterprises reject applications that contain the higher-ranked vulnerabilities or require vendors to remove problematic code from their applications.


VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member

Leave a Comment