The number of software vulnerabilities recorded last year grew by 31 percent compared to 2016 and one-third of them have public exploits, according to a new report.
Vulnerability intelligence firm Risk Based Security, which maintains its own vulnerability database called VulnDB, recorded a total of 20,832 security flaws last year. Around 7,900 of those flaws do not have Common Vulnerabilities and Exposures (CVE) IDs and were recorded in the U.S. government’s National Vulnerability Database (NVD).
The CVE maintainers have been repeatedly criticized in the past for not assigning CVEs in a timely manner—delays being in the order of months—and for not having a wide enough scope for vulnerability inclusion. Even among the assigned CVE IDs, there are many that still have “reserved” status and no actual details about the flaws they cover, despite such information being released publicly in other places.
This discrepancy in coverage between vulnerability databases means that security scanners and other products that rely solely on CVE for vulnerability identification and information are likely to miss a large number of security issues on corporate networks.
“By the numbers, despite CVE/NVD making efforts to address coverage issues after industry and Congressional pressure, 2017 shows that they are actually falling further behind,” Risk Based Security said in its report. “Along with the drop in quality of CVE entries, this firmly demonstrates that CVE/NVD is no longer ‘good enough’ for your organization’s vulnerability management.”
The situation is only getting worse as the vulnerabilities missed by CVE pile up year after year. RBS’ VulnDB now contains more than 57,000 publicly disclosed vulnerabilities that are not present in CVE and NVD, and many of these missing flaws are not in obscure products, either.
“They span from companies such as Google, maker of the Chrome browser, Chrome OS, and several third-party libraries that are integrated into significant projects, to mid-range companies providing software to organizations of all sizes such as Trend Micro, SAP, and Zoho,” Risk Based Security said.
Returning to the 20,832 recorded last year, around 40 percent of them were rated as High or Critical in terms of severity—between 7.0 and 10.0 on the Common Vulnerability Scoring System (CVSS). More than 17 percent were rated critical.
The top 10 vendors with vulnerabilities rated between 9.0 and 10.0 are Google, SUSE, Canonical, Red Hat, SGP Technologies, Adobe Systems, Mozilla, Samsung, Oracle and Xerox. Over half of all vulnerabilities reported in 2017 were in products from major vendors.
The disclosure of 1 in 5 vulnerabilities (18.6 percent) was uncoordinated, meaning they were made public without notifying the vendor in advance. In addition, 39.5 percent of all vulnerabilities had public exploits or sufficient level of detail available to allow the creation of functioning exploits.
Almost a quarter of all reported flaws have no patch or other known solutions available. This suggests that while patching is important, it must be combined with other layers of protection.
The top reason for vulnerabilities in 2017 was the insufficient or improper validation of input. This is the root cause for entire classes of vulnerabilities such as buffer overflows, cross-site script, SQL injection or command injection, and was the cause of two-thirds of flaws reported in 2017.
“Having a mature SDL [software development lifecycle] that includes secure coding practices can iron out a lot of such issues and significantly reduce the threat from attackers,” the RBS researchers said.
More than half of all vulnerabilities were found in web applications, with XSS accounting for 36 percent of these and SQL injection accounting for 19 percent. This is not necessarily surprising, given that the advances in web standards and browsers’ capabilities have led to more and more software programs being engineered as web applications.