There have been 16,172 vulnerabilities disclosed through October 29th, which is a 7% decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800. It’s also worth noting that NVD is still significantly behind in vulnerability scoring and creating the automation component.
Vulnerabilities with a CVSSv2 score of 9.0+, often referred to as ‘critical’, accounted for 15.4% of all published vulnerabilities through Q3. The significant percentage of critical severity vulnerabilities continues to underline the vigilance organizations must maintain and the importance of implementing a comprehensive software vulnerability assessment and management plan.
The 2018 Q3 VulnDB QuickView report published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018. “It’s important to understand the limitations of CVE/NVD-based solutions, and the risk that organizations face by not incorporating the most comprehensive vulnerability intelligence available in their risk management solutions. Not only do they cover a subset of reported vulnerabilities, but analysis shows that CVE/NVD-based solutions are about 7-12 weeks behind. The serious risk faced by an organization not warned about a new vulnerability in a timely manner – if at all – is obvious” said Carsten Eiram, Chief Research Officer for Risk Based Security.
“CVE/NVD-based solutions are also inaccurate and lacking a lot of relevant information such as the detailed metadata tracked in VulnDB including the lifecycle of a vulnerability. The information available about any given vulnerability is often changing, so it’s important to track these changes, for example: the release of patches or upgraded versions, changes to impact based on new findings, and exploit availability. CVE/NVD-based solutions are ‘fire and forget’. They rarely update vulnerability information once published.” added Eiram.
Of all the vulnerabilities disclosed through Q3 2018, 67.3% are due to insufficient or improper input validation. Though many vulnerabilities fall under this umbrella, it’s clear that vendors still struggle to carefully validate untrusted input from users. Having a mature Software Development Lifecycle (SDL) and some form of auditing can help iron out many of these issues and significantly reduce the threat from attackers.
A large number of the vulnerabilities reported in 2018 have either updated versions or patches available. However, 24.9% of the reported vulnerabilities currently have no known solution which is a reminder that, while patching is very important, it cannot be relied on exclusively as a remedy. In addition to patch management, modern vulnerability management programs should include the use of detailed information on the threats faced by organizations to better implement broader mitigation strategies including compensating security controls.
“The importance of comprehensive vulnerability coverage is clear, but even more critical is having timely intelligence which cannot be understated. We continue to see vulnerabilities that are being actively exploited in the wild well before most organizations are aware of the issues. It is an unfortunate situation to find yourself in a position to learn about a vulnerability after the damage is done.” said Brian Martin, VP of Vulnerability Intelligence for Risk Based Security.