The number of vulnerabilities disclosed in the first half of the year topped 11,800, forcing companies to determine the impact of an average of 90 security issues per weekday.
The numbers are from cybersecurity firm Flashpoint's "The State of Vulnerability Intelligence — 2022 Midyear Edition" report, which notes that the massive number of vulnerabilities reported in the first half of the year highlights the problems facing companies as they try to triage software security issues and determine which software updates to prioritize.
Without better guidance, organizations attempting to sort through the security issues struggle to separate those that are highly critical from minor vulnerabilities and those that may not affect their environment at all, says Brian Martin, vice president of vulnerability intelligence at Flashpoint.
"There are some issues that will have no bearing on any real organization in the world — it might be a vulnerability in some Chinese blog that has seven installs worldwide," Martin says. "On the other hand, we do have vulnerabilities in Microsoft products, Google products, Apple products. Stuff that is just as high-profile and concerning as any issue from a Patch Tuesday."
Clouding the issue is the focus put on zero-day vulnerabilities, those labeled as "discovered in the wild" by researchers before a patch is available. These are difficult to collect information on. Google's Project Zero documented 20 such vulnerabilities exploited in the wild in the first half of 2022, while Flashpoint found at least 17 more issues.
Yet the most common attacks usually use known vulnerabilities.
"Discovered-in-the-wild vulnerabilities are often used in high-profile breaches or are attributed to Advanced Persistent Threat (APT) attacks," the report states. "Due to their nature, organizations often lack defensive options for them. However, business leaders need to keep in mind that discovered-in-the-wild vulnerabilities represent a tiny fraction of compromises occurring around the world."
Organizations also had to deal with a growing number of days with hundreds of reported vulnerabilities because of software vendors' regularly scheduled updates. In February, for example, Flashpoint documented 351 issues thanks to releases from Microsoft's Patch Tuesday and disclosures from other software vendors falling on the same day. In April, a similar convergence of software-vulnerability disclosures saw the highest number of vulnerabilities, 356, released in a single day.
"Organizations need to be aware that the vulnerability disclosure landscape is highly volatile, with 'standard' days potentially introducing volumes traditionally seen only on Patch Tuesdays and other similar events," the Flashpoint report states.
Snowballing Levels of Vulnerability Disclosures
The report also shows that the number of vulnerabilities disclosed to vendors continues to remain at high levels.
The National Vulnerability Database (NVD) also documented more than 11,000 flaws assigned Common Vulnerability and Exposures (CVE) identifiers in the first six months of the year. However, a fraction of those are not true reported vulnerabilities but vendors reserving CVE identifiers for future, or yet-to-be disclosed, vulnerabilities. Flashpoint estimates that its database has details on 27% more vulnerabilities than documented in the NVD.
While various distributions of Linux topped the chart of vulnerable applications — such as SUSE, openSUSE Leap, and Ubuntu — open source–focused companies accounted for only four of the 10 vendors with the highest vulnerability counts in the first half of 2022. Yet high counts are not necessarily a sign of insecurity but are often a sign that the software company has a process in place to detect and remediate issues.
"There are many underlying reasons as to why certain products and vendors tend to have high vulnerability counts, such as overall market share, product-specific market share, routine — or lack of — schedule of disclosures, attention from vulnerability researchers, and vendor response/patch time, among others," the Flashpoint report states. "Therefore, organizations should not be immediately concerned about well-known vendors having 'more' vulnerabilities, as it could be a sign that they are actively disclosing and patching issues."