Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/13/2018
05:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Vulnerability Disclosures in 2018 So Far Outpacing Previous Years'

Nearly 17% of 10,644 vulnerabilities disclosed so far this year have been critical, according to new report from Risk Based Security.

There appears to be little relief in sight for organizations hoping for some respite from patching. A new report from Risk Based Security released today reveals that the number of vulnerabilities discovered in software products shows no signs of abating.

Between January 1 and June 30 of this year, a total of 10,644 vulnerabilities were published compared to 9,690 in the same period in 2017. The trend so far this year suggests that the total number of disclosed vulnerabilities in 2018 will comfortably exceed the 20,832 vulnerabilities that Risk Based Security published during 2017 — which itself represented a 31% increase over 2016.

About 17% of the reported flaws this year were deemed critical and had a severity rating of between 9.0 and 10.0 on the CVSS rating scale. That number is smaller than the 21.1% of flaws overall that garnered the same rating in Risk Based Security's report for the first half of 2017.

Somewhat expectedly a plurality of 2018 vulnerabilities – 46.3% - were Web-related flaws, and half of all reported vulns were remotely exploitable. Nearly one-third of the vulnerabilities so far this year in Risk Based Security's database have public exploits, but 73 have a documented solution.

A majority of the vulnerabilities are based on processing user or attacker-supplied input, and the software not properly-sanitizing that input, says Brian Martin, vice president of vulnerability intelligence for Risk Based Security. "We classify them as input manipulation issues that impact the integrity of the software," he notes.

Not All in the CVE & NVD

Significantly, Risk Based Security's vulnerability database contained more than 3,275 vulnerabilities that were not published in MITRE's CVE and the National Vulnerability Database (NVD) in the first half of 2018. Of these, more than 23% had a CVSS score between 9.0 and 10.0.

In other words, organizations relying purely on the CVS/NVD vulnerability data would likely not have been aware of more than 750 other critical vulnerabilities that were published elsewhere.

"The biggest takeaway is that the number of vulnerabilities being disclosed continues to rise, and will continue to do so for the foreseeable future," Martin says.

More importantly, the data shows that organizations cannot rely solely on the CVE database for their vulnerability data, he says.

His firm uses over 2,000 sources for its vulnerability data including mail lists such as Bugtraq and Full Disclosure, exploit websites such as ExploitDB and Packetstorm, and vendor resources such as customer forums. Other sources include formal advisories and knowledge base articles, and developer resources such as changelog, bug-tracking systems, and code commits, Martin says.

Risk Based Systems typically aggregates and processes newly disclosed vulnerabilities in less than 24 hours, depending on the disclosure and if additional analysis is needed. For some security vulnerabilities, the vendor discloses at roughly the same time as CVE and for others, it is weeks and even months, ahead of them, he notes.

Not So Fast

While Risk Based Security's statistics might suggest that software is becoming increasingly buggy, the reality appears a little more nuanced. According to Martin, there are likely many reasons why more flaws are being discovered in software products these days despite the heightened awareness and attention being paid to application security.

Among them is the fact that there are a lot more security researchers looking for and reporting security vulnerabilities these days compared to a few years ago. Tools for finding security vulnerabilities have improved as well and have become faster and more reliable than before, too.

And organizations that monitor and aggregate vulnerabilities are also improving their processes and software vendors themselves have become better at disclosing vulnerabilities reported to them, Martin notes.

Related Content:

  

Learn from the industry's most knowledgeable CISOs and IT security experts in a setting that is conducive to interaction and conversation. Register before July 27 and save $700! Click for more info

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
davidjmeltzer
50%
50%
davidjmeltzer,
User Rank: Author
8/15/2018 | 4:16:13 PM
Vulnerability disclosures
I have seen tools that only have coverage for vulnerabilities based on one or two of the sources discussed in the article.  There are at its core, only a very few products out there that have more comprehensive coverage.  It used to be coverage was THE most importat attribute to vulnerability-related products, and even though it gets a lot less attention these days, it is still critically important.  

 
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-13623
PUBLISHED: 2019-07-17
In NSA Ghidra through 9.0.4, path traversal can occur in RestoreTask.java (from the package ghidra.app.plugin.core.archive) via an archive with an executable file that has an initial ../ in its filename. This allows attackers to overwrite arbitrary files in scenarios where an intermediate analysis r...
CVE-2019-13624
PUBLISHED: 2019-07-17
In ONOS 1.15.0, apps/yang/web/src/main/java/org/onosproject/yang/web/YangWebResource.java mishandles backquote characters within strings that can be used in a shell command.
CVE-2019-13625
PUBLISHED: 2019-07-17
NSA Ghidra before 9.0.1 allows XXE when a project is opened or restored, or a tool is imported, as demonstrated by a project.prp file.
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.