[BreachExchange] No-Shock: Worst Year For Vulnerabilities Already – Only Through Q3 2017

Tue Nov 14 15:27:41 EST 2017

https://www.riskbasedsecurity.com/2017/11/no-shock-worst-year-for-vulnerabilities-already-only-through-q3-2017/

Risk Based Security today announced the release of its Q3 2017 VulnDB
QuickView report
<https://pages.riskbasedsecurity.com/2017-q3-vulnerability-quickview-report>
that shows there have been 16,006 vulnerabilities disclosed through
September 30th this year. This is the highest number of disclosed
vulnerabilities at the end of the third quarter on record and represents a
38% increase over the same period in 2016. In addition, cataloged
vulnerabilities in the first nine months of 2017 have exceeded the total
vulnerabilities for all of 2016 (15,832). The 16,006 vulnerabilities
cataloged by Risk Based Security’s VulnDB research team eclipsed the total
covered by the CVE and National Vulnerability Database (NVD) by 6,295.

“When hearing that so many vulnerabilities are missing from CVE/NVD, most
security professionals want to justify the gap by trying to convince
themselves that the vulnerabilities missed can’t possibly impact their
organization and if they do they must be low risk. However, just as our
previous reports have indicated this isn’t the case. 44.1% – over 2,700 –
of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between
7.0 and 10 which include widely deployed software used by many
organizations. Any security product or tool that relies on CVE/NVD is
putting your organization at serious risk.”, said Jake Kouns, Chief
Information Security Officer for Risk Based Security.

“As Equifax
<https://www.riskbasedsecurity.com/2017/09/equifd-equifax-breach-response-off-to-a-rough-start/>
dominated the data breach headlines, it was revealed that due to a series
of delays they were unable to patch the exploited flaw, now commonly known
as Struts-Shock, in a timely fashion. What the media missed is that there
have been a total of 75 vulnerabilities in Apache Struts, and 5 new
vulnerabilities since Struts-Shock was disclosed. It makes you wonder if
there were any other delays in correcting those issues as well, and if
Equifax has additional unpatched vulnerabilities”, added Kouns.

The newly released 2017 Q3 2017 report from Risk Based Security shows that
39.9% of total reported vulnerabilities received CVSSv2 scores above 7.0.
This means that not only is the number of vulnerabilities on the rise, but
the severity of the vulnerabilities disclosed remains high. What is more
concerning for organizations is that 31.6% of the vulnerabilities disclosed
have public exploits available and 47.9% can be exploited remotely.

The VulnDB QuickView report also highlights the relationships between
researchers and vendors, showing that they are continuing to work together.
Vulnerabilities disclosed in a coordinated fashion continues to be around
43%, on par from the mid year report.  In addition, 6.1% of the
vulnerabilities disclosed in software products were coordinated through
vendor and third-party bug bounty programs.

“While our proprietary Vulnerability, Timeline, and Exposure Metrics (VTEM)
show that not all vendors are prioritizing and fixing vulnerabilities as
quickly as we would prefer, the good news is that 75.8% of 2017
vulnerabilities through September do have a documented solution”, says
Kouns.

*About the VulnDB QuickView Report*

The VulnDB QuickView report
<https://pages.riskbasedsecurity.com/2017-q3-vulnerability-quickview-report>
is made possible through the research conducted by Risk Based Security
<https://vulndb.cyberriskanalytics.com/>. It is designed to provide an
executive level summary of the key findings from RBS’ analysis of
aggregated vulnerabilities disclosed in 2017. Contact Risk Based Security
for any specific analysis of the 2017 vulnerabilities of specific interest
to your organization..

You can get your copy of the 2017 Q3 2017 VulnDB QuickView Report here:

https://pages.riskbasedsecurity.com/2017-q3-vulnerability-quickview-report
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171114/d522c693/attachment.html>