[BreachExchange] Cybersecurity alert: 34% of vulnerabilities found this year remain unpatched

Destry Winant destry at riskbasedsecurity.com
Wed Aug 28 02:13:44 EDT 2019


A mid-year report on vulnerabilities found so far in 2019 from Risk
Based Security should make security professionals take notice: There
are some serious risks out there.

In the first half of 2019, there have been about 4,000 fewer entries
in the common vulnerabilities and exploits (CVE) database, but that's
no reason to start resting easy: 34% of the 11,092 reported
vulnerabilities remain unpatched.

Leading the pack with 24.1% of all vulnerabilities between them are
five companies: Software in the Public Interest (Debian and related
platforms), SUSE, Oracle, IBM, and Microsoft.

Given the popularity of platforms from those organizations, it's
reasonable to assume your organization is affected by at least one of
the more than 11,000 vulnerabilities reported in 2019, and possibly by
some that remain unpatched.

What kinds of vulnerabilities are trending in 2019?

There are a variety of types of vulnerabilities included in the
report, but the most popular (accounting for 53% of reports in 2019)
are remote ones. Remote vulnerabilities are any that happen over a
network and are perpetrated by an attacker without prior access to a

The most common way this is done is via input manipulation, a la an
SQL injection attack. An attacker using input manipulation can submit
malicious scripts through an input field (e.g., email registration,
account signup, site search, etc.) which results in a website's
database dumping all sorts of sensitive information to the attacker.

Input manipulation accounted for 66% of reported vulnerability cases
so far in 2019, which continues a trend that Risk Based Security said
has been the case for years. SQL injection attacks, one of the oldest
and most common forms of input manipulation, have been an issue since
the dawn of the internet, and their popularity shows that they'll
probably continue to be such.

Along with remote vulnerabilities, context-dependent, local, and
mobile exploits make the list, but in small percentages compared to
remote ones.

In short, the most likely way your systems are going to be hit is with
a remote attack attempting to exploit input manipulation

What can be done to fight the most common exploits of 2019?

"While it may seem an easy problem to tackle, summed up with 'we'll
just sanitize input!', it is often more complicated in practice," the
report said.

Sanitizing input is a great way to avoid input manipulation attacks,
but it can be hard to go back and check old code to find
vulnerabilities, as "many organizations still do not have a rigorous
procedure for testing their source code for such issues despite many
having an otherwise mature process," the report adds.

Another glaring aspect of the report that makes solving these
vulnerabilities difficult is the sheer number that are still
unresolved: Around 3,771 of the 11,092 vulnerabilities in 2019 fit
that criteria.

Brian Martin, vice president of vulnerability intelligence at Risk
Based Security, suggested organizations purchase a vulnerability
scanning tool that is capable of looking at both an entire IP space
and all the devices on it. "If an organization is using vulnerability
scanning, they may simply not know about all of their assets," Martin
said in the report, so be sure the tools you have are designed for the
type of organization you run.

Along with adopting an aggressive scanning policy organizations should
be sure to keep systems updated and patched: 66% of vulnerabilities
reported in 2019 can be resolved in one of those two ways.

You can read the full report on Risk Based Security's website.

More information about the BreachExchange mailing list