The pace of vulnerability disclosure shows no signs of slowing

Unless the pace of vulnerability disclosure slows down in the coming quarters, we are looking at yet another record-breaking year, according to Risk Based Security’s 2018 Q1 Vulnerability QuickView Report.

Note that bug bounties are a subset of the ‘Coordinated Disclosures’ total

Key findings

• 5,375 unique vulnerabilities were reported. This is just a 1.8% increase over the same period in 2017. Note that this number will continue to rise throughout 2018.
• 1,790 (33.3%) of the vulnerabilities tracked do not have a CVE ID assigned and, therefore, are not available in NVD and similar databases solely relying on CVE. 19.7% of these vulnerabilities have a CVSSv2 score between 9.0 and 10.
• 32.7% of the vulnerabilities have public exploits or sufficient details available to trivially exploit.
• 49.1% of the vulnerabilities are remotely exploitable.
• 74.3% of the vulnerabilities have a documented solution i.e. proper workaround, patch, or fixed version.

Organizations need to be prepared

As more and more vulnerabilities are reported, organizations are forced to spend an increasing amount of time and resources to stay properly informed about the weaknesses affecting their IT infrastructure and applications. There is a further cost of ownership, as vulnerabilities disclosed also require proper prioritization, triage, and remediation.

“Every year see an incredible number of publicly disclosed vulnerabilities missed by the CVE project, and every year we see thousands of data breaches, some caused by not patching known vulnerabilities.“ said Brian Martin, Vice President of Vulnerability Intelligence for Risk Based Security. “Organizations that continue to rely on inferior vulnerability intelligence are putting themselves at increased risk of downtime or compromise, which often leads to their customers receiving the brunt of the fallout.”

The good and the bad

The good news when looking at the issues disclosed in Q1 2018 is that, about three fourths of the reported vulnerabilities did have a documented solution available. However, that still leaves over 1.300 of the disclosed vulnerabilities with no viable solution. That means organizations relying solely on patch management software for vulnerability remediation are failing to address weaknesses in their infrastructure and applications. After all, if there is no patch, there is nothing for a patch manager to do.

The importance of awareness

Administrators are beginning to realize that better awareness of disclosed vulnerabilities is critical to their operations. Along with this, comes the realization that their organization cannot rely on patch management solutions alone. In fact, a multifaceted approach that integrates vulnerability intelligence into both asset and patch management solutions, makes life a lot easier for system administrators while ensuring full coverage of potential security issues. But implementing a multi-faceted approach requires a reliable source for vulnerability intelligence.

Incomplete data sources leave the organization exposed and tasking staff to research new disclosures is inefficient and time consuming.
“The lack of vulnerability coverage from freely available or US funded government projects forces companies to make a decision; run the risk of using incomplete vulnerability information, spend significant resources tracking vulnerabilities internally or seek a vulnerability intelligence feed from a reliable service.” said Carsten Eiram, Chief Research Officer at Risk Based Security.