[BreachExchange] Nearly 10,000 Vulnerabilities Disclosed So Far In 2017 – Major Vendors Continue To Be Affected

[Inga Goddijn]

https://www.riskbasedsecurity.com/2017/07/nearly-10000-vulnerabilities-disclosed-so-far-in-2017-major-vendors-continue-to-be-affected/

Risk Based Security today announced the release of its Mid-2017 VulnDB
QuickView report
<https://pages.riskbasedsecurity.com/2017-midyear-vulnerability-quickview-report>
that
shows there have been 9,690 vulnerabilities disclosed through June 30th.
This is the highest number of disclosed vulnerabilities at the mid-year
point on record. The 9,690 vulnerabilities cataloged during the first six
months of 2017 by Risk Based Security eclipsed the total covered by the CVE
and National Vulnerability Database (NVD) by over 4,000.

“Another important statistic is that of the 4,092 vulnerabilities not
reported by CVE/NVD, 3,806, or 93.0%, have CVSSv2 scores of 4.0, (Medium
Severity) and above. This is highly problematic since PCI compliance
requires medium severity vulnerabilities and above to be mitigated. If your
organization or the vulnerability scanning company you rely upon is using
CVE/NVD for vulnerability intelligence your infrastructure is at risk”,
said Carsten Eiram, Chief Research Officer for Risk Based Security.

“With reported data breaches on the rise in 2017 at nearly 2,300 through
June, and 41% of those breaches caused by hacking, this is no time to use
an inferior vulnerability intelligence feed to protect your assets”, added
Eiram.

The newly released 2017 Mid-year 2017 report
<https://pages.riskbasedsecurity.com/2017-midyear-vulnerability-quickview-report>
from
Risk Based Security shows that 21.1% of reported vulnerabilities received
CVSSv2 scores between 9.0 and 10.0, nearly identical to the percentage
observed in 2016. This means that not only is the number of vulnerabilities
on the rise, but the severity of the vulnerabilities disclosed remains high.

The VulnDB QuickView report also revealed that while relationships between
researchers and vendors can at times appear strained, they are continuing
to attempt to work together. Vulnerabilities disclosed in a coordinated
fashion with vendors remains high at around 42%, just slightly lower than
2016.

“One final point about the criticality of having access to comprehensive
and timely vulnerability intelligence, of the vulnerabilities not reported
in CVE/NVD in 2017, 47.4% have a publicly disclosed exploit or sufficient
details to trivially create one.”, says Eiram.

*About the VulnDB QuickView Report*

The VulnDB QuickView report is possible through the research conducted by Risk
Based Security <https://vulndb.cyberriskanalytics.com/>. It is designed to
provide an executive level summary of the key findings from RBS’ analysis
of vulnerabilities disclosed in 2017. Contact Risk Based Security for any
specific analysis of the 2017 vulnerabilities of specific interest to your
organization..

You can get your copy of the 2017 Mid-year 2017 VulnDB QuickView Report
here:

https://pages.riskbasedsecurity.com/2017-midyear-vulnerability-quickview-report
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170727/d7eb4191/attachment.html>