Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/28/2020
12:20 PM
100%
0%

Vulnerability Disclosures Drop in Q1 for First Time in a Decade

Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.

The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.

While the drop occurred in the same quarter that the coronavirus pandemic caused many companies to start moving employees to remote work, there is no clear connection or mechanism for why there would be fewer vulnerabilities, says Brian Martin, vice president of intelligence for Risk Based Security.

"Everything that is an outlier for us is due to COVID-19," he says. "But based on that, I could give you reasons why the numbers should be higher or should be lower because you can argue either way based on theories of COVID-19's impact."

The report is a snapshot in time of where the annual vulnerability count stands. While the overall count for the quarter may decline, one major finding is that some software companies' strategy of releasing vulnerabilities on the second Tuesday of the month — so-called Patch Tuesday — is starting to overburden IT security teams, Martin says.

"We do notice that Patch Tuesdays are getting worse and worse," he says. "Administrators and security teams are going to experience more of a problem on these Tuesdays because they have to triage more and more vulnerabilities."

The counting of publicly disclosed vulnerabilities varies among the organizations that track software flaws. The National Vulnerability Database run by the National Institute of Standards and Technology, for example, shows 7,950 recorded vulnerabilities so far in 2020 and appears to be on track to match last year's count. 

The first-quarter vulnerability count is a running total. Risk Based Security and MITRE both backfill their database with information on software flaws that may have been disclosed in the first quarter but were not initially counted. Based on previous trends, RBS expects the true count of vulnerabilities to land around 6,100 for the first quarter of 2020, down from an estimated final count of about 6,400 for the first quarter of 2019.

The company does not expect a final count to emerge until about three years later, according to the report.

"This trend is fairly consistent, and the end result is that we see our 'raw count' — the one we publish fresh off the press — mature to a steady future state within a period of three years," according to the RBS report.

The most likely explanation for the drop is some impact on software companies or on vulnerability researchers due to COVID-19 and the move for many companies to remote work, Martin says. 

Yet the impact of COVID-19 could result in plausible explanations for a drop or for an increase, he says. Disruptions at work and reductions in security workers through layoffs could lead to fewer vulnerability reports being triaged and disclosed. However, with more time to pursue projects and the need to have additional wins on their resumes, vulnerability researchers could spend more time looking for security issues, he says.

"In this quarter, we know for sure that some security teams got cut back, and we still see these security companies losing people," Martin says. "Yet researchers who are out of work may go back to vulnerability research to put something on their resume. It could go either way."

Overall, Martin expects more clarity later in the year as more vulnerabilities found during the height of the initial surge of the pandemic in the first half of 2020 come to light. 

"It is very difficult to say at this point, because we have just finished up with Q1, and it is so soon after COVID," he says. "We are close to on par for last year. It may have been a case with it just being a slow first quarter."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
xfygx
50%
50%
xfygx,
User Rank: Apprentice
6/21/2020 | 1:32:08 PM
Why
Why it happen?
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36192
PUBLISHED: 2021-01-18
An issue was discovered in the Source Integration plugin before 2.4.1 for MantisBT. An attacker can gain access to the Summary field of private Issues (either marked as Private, or part of a private Project), if they are attached to an existing Changeset. The information is visible on the view.php p...
CVE-2020-36193
PUBLISHED: 2021-01-18
Tar.php in Archive_Tar through 1.4.11 allows write operations with Directory Traversal due to inadequate checking of symbolic links, a related issue to CVE-2020-28948.
CVE-2020-7343
PUBLISHED: 2021-01-18
Missing Authorization vulnerability in McAfee Agent (MA) for Windows prior to 5.7.1 allows local users to block McAfee product updates by manipulating a directory used by MA for temporary files. The product would continue to function with out-of-date detection files.
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...