Just over 66 percent of vulnerabilities published through Q3 2018 have a documented solution and almost 75 percent of vulnerabilities discovered during the year so far had patches available, new research found.
Vulnerabilities reported in 2018 have either updated versions or patches available. However, 24.9 percent of the reported vulnerabilities currently have no known solution which is a reminder that, while patching is very important, it cannot be relied on exclusively as a remedy, according to the 2018 Q3 VulnDB QuickView report by Risk Based Security. In addition to patch management, modern vulnerability management programs should include the use of detailed information on the threats faced by organizations to better implement broader mitigation strategies including compensating security controls.
“The importance of comprehensive vulnerability coverage is clear, but even more critical is having timely intelligence which cannot be understated, said Brian Martin, vice president of vulnerability intelligence for Risk Based Security. “We continue to see vulnerabilities that are being actively exploited in the wild well before most organizations are aware of the issues. It is an unfortunate situation to find yourself in a position to learn about a vulnerability after the damage is done.”
In addition, the report also found there have been 16,172 vulnerabilities disclosed through October 29, which is a 7 percent decrease from the high record reported last year at this time. The 16,172 vulnerabilities cataloged through Q3 2018 by Risk Based Security’s research team eclipsed the total covered by the CVE and National Vulnerability Database (NVD) by over 4,800.
Vulnerabilities with a CVSSv2 score of 9.0+, often referred to as ‘critical’, accounted for 15.4 percent of all published vulnerabilities through Q3. The significant percentage of critical severity vulnerabilities continues to point out companies need to remain vigilant.
The report published 4,823 more vulnerabilities than CVE/NVD through the end of Q3 2018.
“It’s important to understand the limitations of CVE/NVD-based solutions, and the risk that organizations face by not incorporating the most comprehensive vulnerability intelligence available in their risk management solutions. Not only do they cover a subset of reported vulnerabilities, but analysis shows that CVE/NVD-based solutions are about 7-12 weeks behind. The serious risk faced by an organization not warned about a new vulnerability in a timely manner – if at all – is obvious” said Carsten Eiram, Chief Research Officer for Risk Based Security.
“CVE/NVD-based solutions are also inaccurate and lacking a lot of relevant information such as the detailed metadata tracked in VulnDB including the lifecycle of a vulnerability. The information available about any given vulnerability is often changing, so it’s important to track these changes, for example: The release of patches or upgraded versions, changes to impact based on new findings, and exploit availability. CVE/NVD-based solutions are ‘fire and forget’. They rarely update vulnerability information once published.” Eiram said.
Of all the vulnerabilities disclosed through Q3 2018, 67.3 percent are due to insufficient or improper input validation. Though many vulnerabilities fall under this umbrella, it’s clear that vendors still struggle to carefully validate untrusted input from users.