Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/28/2020
12:20 PM
100%
0%

Vulnerability Disclosures Drop in Q1 for First Time in a Decade

Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.

The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.

While the drop occurred in the same quarter that the coronavirus pandemic caused many companies to start moving employees to remote work, there is no clear connection or mechanism for why there would be fewer vulnerabilities, says Brian Martin, vice president of intelligence for Risk Based Security.

"Everything that is an outlier for us is due to COVID-19," he says. "But based on that, I could give you reasons why the numbers should be higher or should be lower because you can argue either way based on theories of COVID-19's impact."

The report is a snapshot in time of where the annual vulnerability count stands. While the overall count for the quarter may decline, one major finding is that some software companies' strategy of releasing vulnerabilities on the second Tuesday of the month — so-called Patch Tuesday — is starting to overburden IT security teams, Martin says.

"We do notice that Patch Tuesdays are getting worse and worse," he says. "Administrators and security teams are going to experience more of a problem on these Tuesdays because they have to triage more and more vulnerabilities."

The counting of publicly disclosed vulnerabilities varies among the organizations that track software flaws. The National Vulnerability Database run by the National Institute of Standards and Technology, for example, shows 7,950 recorded vulnerabilities so far in 2020 and appears to be on track to match last year's count. 

The first-quarter vulnerability count is a running total. Risk Based Security and MITRE both backfill their database with information on software flaws that may have been disclosed in the first quarter but were not initially counted. Based on previous trends, RBS expects the true count of vulnerabilities to land around 6,100 for the first quarter of 2020, down from an estimated final count of about 6,400 for the first quarter of 2019.

The company does not expect a final count to emerge until about three years later, according to the report.

"This trend is fairly consistent, and the end result is that we see our 'raw count' — the one we publish fresh off the press — mature to a steady future state within a period of three years," according to the RBS report.

The most likely explanation for the drop is some impact on software companies or on vulnerability researchers due to COVID-19 and the move for many companies to remote work, Martin says. 

Yet the impact of COVID-19 could result in plausible explanations for a drop or for an increase, he says. Disruptions at work and reductions in security workers through layoffs could lead to fewer vulnerability reports being triaged and disclosed. However, with more time to pursue projects and the need to have additional wins on their resumes, vulnerability researchers could spend more time looking for security issues, he says.

"In this quarter, we know for sure that some security teams got cut back, and we still see these security companies losing people," Martin says. "Yet researchers who are out of work may go back to vulnerability research to put something on their resume. It could go either way."

Overall, Martin expects more clarity later in the year as more vulnerabilities found during the height of the initial surge of the pandemic in the first half of 2020 come to light. 

"It is very difficult to say at this point, because we have just finished up with Q1, and it is so soon after COVID," he says. "We are close to on par for last year. It may have been a case with it just being a slow first quarter."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
xfygx
50%
50%
xfygx,
User Rank: Apprentice
6/21/2020 | 1:32:08 PM
Why
Why it happen?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-14499
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper access control vulnerability. Successful exploitation of this vulnerability may allow an attacker to obtain all user accounts credentials.
CVE-2020-14501
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper authentication for critical function (CWE-306) issue. Successful exploitation of this vulnerability may allow an attacker to obtain the information of the user table, including the administrator credentials in plain text. An attacker may also ...
CVE-2020-14503
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper input validation vulnerability. Successful exploitation of this vulnerability could allow an attacker to remotely execute arbitrary code.
CVE-2020-14497
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, contains multiple SQL injection vulnerabilities that are vulnerable to the use of an attacker-controlled string in the construction of SQL queries. An attacker could extract user credentials, read or modify information, and remotely execute code.
CVE-2020-14505
PUBLISHED: 2020-07-15
Advantech iView, versions 5.6 and prior, has an improper neutralization of special elements used in a command (“command injection�) vulnerability. Successful exploitation of this vulnerability may allow an attacker to send a HTTP GET or POST request that create...