First the good news: according to a published report there were more than 16,000 software vulnerabilities disclosed during the first nine months of this year. Now, that’s quite a few vulnerabilities that could enable attackers, exploits, and malware to scurry onto an enterprise environment. However, it is 7 percent fewer vulnerabilities than 2017.
The bad news is over 33 percent of those vulnerabilities were rated as critical or high, which is a 7.0 or more according to the Common Vulnerability Scoring System.
According to the report, the Vulnerability Quick View report, from vulnerability intelligence provider Risk Based Security.
Interestingly, only about half of the vulnerabilities disclosed through Q3 2018 were announced with coordination with the software vendor. Just less than half of vulnerabilities, 44 percent, have publicly available exploits (or enough information to make one) that target the weaknesses in the software.
Another concerning find from the researchers is that about half of all vulnerabilities this year are remotely exploitable, 60 percent can affect the integrity of the at-risk applications, and nearly 20 percent place the integrity of data at risk.
More than 12 percent of vulnerabilities had a working exploit that was not published by the researchers.
Additionally, many of the vulnerabilities reported so far this year have either updated versions or patches available — still, 25 percent of the reported vulnerabilities had no known patch at the time the report was issued. “This underlines that while patching is very important, it cannot be relied on exclusively as a remedy. A modern vulnerability management approach needs to be more than just patch management; it needs to make use of detailed vulnerability intelligence to understand and prioritize mitigation actions to address the ever-changing threats. Detailed information on the threats your organization faces can be used to better implement broader mitigation strategies including compensating security controls,” the authors wrote.
Most applications today support plug-ins, and these third-party applications often don’t get the same level of tracking and scrutiny as other applications.
Earlier this fall, open source management software provider, Sonatype released its State of the Software Supply Chain Report, which found developers downloaded more than 300 billion open source components in the prior year. Unfortunately, nearly 13 percent of those components were vulnerable from known security vulnerabilities.
The annual report also found a troubling escalation in the number of attacks targeting the software supply chain by injecting vulnerabilities directly into open source components.
Just as worrisome, attackers have compressed the meantime to exploit known vulnerabilities by 400 percent — down to three days from 45.
Interestingly, the researchers found that the number of vulnerabilities disclosed by the end of the third-quarter this year showed a dip. This was the first year over year dip in a long time. “RBS reminds report readers that small fluctuations in disclosures happen frequently, and that over time as more sources are examined, that dip may go away entirely. As more scrutiny is given to additional disclosure sources, it can sway the quarterly and yearly totals after initial reports like this one are issued,” the report authors cautioned.
Also, while it would be great news to see a decline in software vulnerabilities, one dot doesn’t make a trend.
It’s critical enterprises follow best practices when it comes to software-related risk mitigation. This includes taking inventory of all of the software in the organization and tracking vulneraries as they are announced, patching, reducing the amount of software and software libraries installed, reducing external access to software, to monitoring systems and networks for indicators of compromise. Larger companies would also benefit by activity looking for news of potential exploits for software that is installed in their environments.