[BreachExchange] Vulnerability reporting is returning to normal

Destry Winant destry at riskbasedsecurity.com
Fri Aug 28 10:43:25 EDT 2020 

https://www.helpnetsecurity.com/2020/08/28/vulnerability-reporting-is-returning-to-normal/

Vulnerability reporting, still impacted by COVID-19, is beginning to
return to normal, Risk Based Security reveals.

Out of 11,121 vulnerabilities aggregated during the first half of
2020, 818 were the result of the Vulnerability Fujiwhara Effect, a
term that describes the events when Microsoft and Oracle vulnerability
disclosure schedules collide.

“Risk Based Security sounded the alarm back in January. We knew that
these events would undoubtedly become a significant strain for IT
staff and Vulnerability Managers,” commented Brian Martin, Vice
President of Vulnerability Intelligence at Risk Based Security.

“Compared to other Patch Tuesdays this year, the highest reported
‘only’ 273 new vulnerabilities. However, during April’s Fujiwhara
event we saw 506 new vulnerabilities reported, 79% of which came from
seven vendors.

“Unfortunately for all of us, this is likely we can expect to occur
more frequently in the future. The sheer volume makes one wonder who
actually benefits from this all-at-once disclosure of vulnerabilities.
Certainly not the paying customers.”

Vendors and products with the highest vulnerability counts

The report goes further into the details of the disclosure landscape
by listing and breaking down the vendors and products with the highest
vulnerability counts. Most notable is Microsoft, which has seen a 150%
increase in the amount of vulnerabilities disclosed during the first
six months of 2020 compared to the entirety of 2019. Windows 10 was
the product with the most disclosed vulnerabilities by the end of Q2.

A growing concern is that, despite the high number of Microsoft
vulnerabilities and the Vulnerability Fujiwhara, 29.3% of all
vulnerabilities disclosed during the first half of 2020 do not have
CVE ID, with 3.3% being in RESERVED status meaning that information
for those vulnerabilities is not available within the CVE/NVD
database.

“Given the sheer amount of vulnerabilities disclosed, organizations
relying on CVE/NVD will struggle to find timely and actionable
intelligence,” Mr. Martin concluded.

“The bare minimum metadata found within NVD is not enough for
organizations to properly prioritize and remediate. Organizations are
increasing their own risk by relying on CVE to provide complete and
timely data. The current level of vulnerability disclosures
organizations face on a daily basis are more than CVE can handle, and
it will only get worse.”

More information about the BreachExchange mailing list