Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/28/2020
12:20 PM
100%
0%

Vulnerability Disclosures Drop in Q1 for First Time in a Decade

Even with more security issues published on Patch Tuesdays, the total number of software flaws dropped for the first three months of 2020, according to one tally.

The number of vulnerabilities reported publicly dropped in the first quarter of 2020 for the first time in at least a decade, falling nearly 20% to 4,968 compared with the same quarter last year, according to an analysis published on Thursday by Risk Based Security.

While the drop occurred in the same quarter that the coronavirus pandemic caused many companies to start moving employees to remote work, there is no clear connection or mechanism for why there would be fewer vulnerabilities, says Brian Martin, vice president of intelligence for Risk Based Security.

"Everything that is an outlier for us is due to COVID-19," he says. "But based on that, I could give you reasons why the numbers should be higher or should be lower because you can argue either way based on theories of COVID-19's impact."

The report is a snapshot in time of where the annual vulnerability count stands. While the overall count for the quarter may decline, one major finding is that some software companies' strategy of releasing vulnerabilities on the second Tuesday of the month — so-called Patch Tuesday — is starting to overburden IT security teams, Martin says.

"We do notice that Patch Tuesdays are getting worse and worse," he says. "Administrators and security teams are going to experience more of a problem on these Tuesdays because they have to triage more and more vulnerabilities."

The counting of publicly disclosed vulnerabilities varies among the organizations that track software flaws. The National Vulnerability Database run by the National Institute of Standards and Technology, for example, shows 7,950 recorded vulnerabilities so far in 2020 and appears to be on track to match last year's count. 

The first-quarter vulnerability count is a running total. Risk Based Security and MITRE both backfill their database with information on software flaws that may have been disclosed in the first quarter but were not initially counted. Based on previous trends, RBS expects the true count of vulnerabilities to land around 6,100 for the first quarter of 2020, down from an estimated final count of about 6,400 for the first quarter of 2019.

The company does not expect a final count to emerge until about three years later, according to the report.

"This trend is fairly consistent, and the end result is that we see our 'raw count' — the one we publish fresh off the press — mature to a steady future state within a period of three years," according to the RBS report.

The most likely explanation for the drop is some impact on software companies or on vulnerability researchers due to COVID-19 and the move for many companies to remote work, Martin says. 

Yet the impact of COVID-19 could result in plausible explanations for a drop or for an increase, he says. Disruptions at work and reductions in security workers through layoffs could lead to fewer vulnerability reports being triaged and disclosed. However, with more time to pursue projects and the need to have additional wins on their resumes, vulnerability researchers could spend more time looking for security issues, he says.

"In this quarter, we know for sure that some security teams got cut back, and we still see these security companies losing people," Martin says. "Yet researchers who are out of work may go back to vulnerability research to put something on their resume. It could go either way."

Overall, Martin expects more clarity later in the year as more vulnerabilities found during the height of the initial surge of the pandemic in the first half of 2020 come to light. 

"It is very difficult to say at this point, because we have just finished up with Q1, and it is so soon after COVID," he says. "We are close to on par for last year. It may have been a case with it just being a slow first quarter."

Related Content:

 

 
 
 
 
 
 
Learn from industry experts in a setting that is conducive to interaction and conversation about how to prepare for that "really  bad day" in cybersecurity. Click for more information and to register


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
xfygx
50%
50%
xfygx,
User Rank: Apprentice
6/21/2020 | 1:32:08 PM
Why
Why it happen?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: They said you could use Zoom anywhere.......
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8720
PUBLISHED: 2020-08-13
Buffer overflow in a subsystem for some Intel(R) Server Boards, Server Systems and Compute Modules before version 1.59 may allow a privileged user to potentially enable denial of service via local access.
CVE-2020-12300
PUBLISHED: 2020-08-13
Uninitialized pointer in BIOS firmware for Intel(R) Server Board Families S2600CW, S2600KP, S2600TP, and S2600WT may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-12301
PUBLISHED: 2020-08-13
Improper initialization in BIOS firmware for Intel(R) Server Board Families S2600ST, S2600BP and S2600WF may allow a privileged user to potentially enable escalation of privilege via local access.
CVE-2020-7307
PUBLISHED: 2020-08-13
Unprotected Storage of Credentials vulnerability in McAfee Data Loss Prevention (DLP) for Mac prior to 11.5.2 allows local users to gain access to the RiskDB username and password via unprotected log files containing plain text credentials.
CVE-2020-8679
PUBLISHED: 2020-08-13
Out-of-bounds write in Kernel Mode Driver for some Intel(R) Graphics Drivers before version 26.20.100.7755 may allow an authenticated user to potentially enable denial of service via local access.