2017 Saw Software Vulnerabilities Increase by 31 Percent
Reports say that there has been a 31 percent increase in the number of software vulnerabilities in 2017 compared to 2016 and also that one-third of these have public exploits as well.
Leading vulnerability intelligence firm Risk Based Security, Inc., which has recently published its Year End Vulnerability Quick View Report for 2017, has found that there were a total of 20,832 security flaws last year, of which around 7.900 do not have CVE (Common Vulnerabilities and Exposures) IDs and were recorded in the U.S. Governments NVD ( National Vulnerability Database).
A report published by Risk Based Security, Inc. and based on the year-end report says- “Risk Based Security today announced the release of the year end VulnDB QuickView report that shows 2017 broke the previous all-time record for the highest number of reported vulnerabilities. The 20,832 vulnerabilities cataloged during 2017 by Risk Based Security (VulnDB) eclipsed the total covered by MITRE’s Common Vulnerability Enumeration (CVE) and the National Vulnerability Database (NVD) by more than 7,900.”
It’s to be noted that the CVE maintainers have already been facing criticism for not assigning CVEs in a timely manner (for causing delays in the order of months) and for not having a wide scope for vulnerability inclusion. It’s also to be noted that among the assigned CVE IDs, many still have “reserved” status and without any details as regards the flaws they cover.
A report authored by Lucian Constantin for Security Boulevard observes- “This discrepancy in coverage between vulnerability databases means that security scanners and other products that rely solely on CVE for vulnerability identification and information are likely to miss a large number of security issues on corporate networks.”
The report published by Risk Based Security, Inc. also quotes the company’s VP of Vulnerability Intelligence, Brian Martin, who says- “Organizations that track and triage vulnerability patching saw no relief in 2017, as it was yet another record-breaking year for vulnerability disclosures. The increasingly difficult task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. If your vulnerability intelligence solution didn’t offer information on the more than 20,000 vulnerabilities disclosed in 2017, your organization is at an increased risk”.
Brian Martin further says- “Incredibly, we see too many companies still relying on CVE and NVD for vulnerability tracking, despite the US government funded organization falling short year after year. While some argue that the CVE/NVD solution is ‘good enough’, that simply isn’t the case. Just look at the number of web and computer hacking data breaches reported on a regular basis. In addition to a false sense of security, the ‘good enough’ mindset often leads some to believe that the important vulnerabilities are covered, and that isn’t the case either”.
Of the 20,832 software vulnerabilities recorded in 2017, around 40 percent were rated as High or Critical in terms of severity (between 7.0 and 10.0 on the CVSS (Common Vulnerability Scoring System) while over 17 percent were rated critical. More than half of all vulnerabilities reported last year were in products from major vendors, among whom the top 10 vendors that recorded vulnerabilities rated between 9.0 and 10.0 are Google, SUSE, Canonical, Red Hat, SGP Technologies, Adobe Systems, Mozilla, Samsung, Oracle and Xerox. 39.5 percent of all vulnerabilities reported had public exploits or the level of detail available to allow the creation of functioning exploits. Similarly, almost one-fourth of the vulnerabilities reported have no patch or other known solutions.
Coming to the reasons for the vulnerabilities, it was mostly insufficient or improper validation of input that caused most of them. Over 50 percent of the vulnerabilities reported were found in web applications; XSS accounted for 36 percent of this while SQL injection accounted for 19 percent.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.