No-Shock: Worst Year For Vulnerabilities Already – Only Through Q3 2017

2017 has officially become the worst year on record with over 16,006 disclosed vulnerabilities.

RICHMOND, VA, November 14, 2017 -- Risk Based Security today announced the release of its Q3 2017 VulnDB QuickView report that shows there have been 16,006 vulnerabilities disclosed through September 30th this year. This is the highest number of disclosed vulnerabilities at the end of the third quarter on record and represents a 38% increase over the same period in 2016. In addition, cataloged vulnerabilities in the first nine months of 2017 have exceeded the total vulnerabilities for all of 2016 (15,832). The 16,006 vulnerabilities cataloged by Risk Based Security’s VulnDB research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by 6,295.

“When hearing that so many vulnerabilities are missing from CVE/NVD, most security professionals want to justify the gap by trying to convince themselves that the vulnerabilities missed can’t possibly impact their organization and if they do they must be low risk. However, just as our previous reports have indicated this isn’t the case. 44.1% – over 2,700 – of the vulnerabilities not published by NVD/CVE have a CVSSv2 score between 7.0 and 10, which include widely deployed software used by many organizations. Any security product or tool that relies on CVE/NVD is putting your organization at serious risk.” said Jake Kouns, Chief Information Security Officer for Risk Based Security.

“As Equifax dominated the data breach headlines, it was revealed that due to a series of delays they were unable to patch the exploited flaw, now commonly known as Struts-Shock, in a timely fashion. What the media missed is that there have been a total of 75 vulnerabilities in Apache Struts, and 5 new vulnerabilities since Struts-Shock was disclosed. It makes you wonder if there were any other delays in correcting those issues as well, and if Equifax has additional unpatched vulnerabilities”, added Kouns.

The newly released 2017 Q3 2017 report from Risk Based Security shows that 39.9% of total reported vulnerabilities received CVSSv2 scores above 7.0. This means that not only is the number of vulnerabilities on the rise, but the severity of the vulnerabilities disclosed remains high. What is more concerning for organizations is that 31.6% of the vulnerabilities disclosed have public exploits available and 47.9% can be exploited remotely.

The VulnDB QuickView report also highlights the relationships between researchers and vendors, showing that they are continuing to work together. Vulnerabilities disclosed in a coordinated fashion continues to be around 43%, on par from the mid-year report. In addition, 6.1% of the vulnerabilities disclosed in software products were coordinated through vendor and third-party bug bounty programs.

“While our proprietary Vulnerability, Timeline, and Exposure Metrics (VTEM) show that not all vendors are prioritizing and fixing vulnerabilities as quickly as we would prefer, the good news is that 75.8% of 2017 vulnerabilities through September do have a documented solution”, says Kouns.