A recently released report from Risk Based Security, a security company, showed that the number of security breaches disclosed in 2017 reached a record high of 20,832 in “Vulnerability QuickView: 2017 Vulnerability Trends” report.
The company’s VulnDB QuickView reports that the number of vulnerabilities disclosed last year was up 31.0% from the previous quarter. The number of vulnerabilities included in the U.S. National Vulnerability Database (NVD) also increased.
Of the 2017 disclosure vulnerabilities released by Risk Based Security, 7,900 were not included in MITRE’s Common Vulnerability Inventory (CVE) and NVD, with 44.5% of vulnerabilities scoring 7.0 to 10 in the new Common Vulnerability Scoring System (CVSSv2), Is a high-risk vulnerability. This poses a significant risk for all types of organizations around the world, as the fact that they are not included in CVEs and NVDs may leave them unaware of the vulnerabilities.
The report said that in 2017, 39.3% of the disclosed vulnerabilities CVSSv2 score over 7.0, of which 48.5% can be remotely exploited, 31.5% have a public exploit. More than half (50.6%) of the 2017 vulnerabilities were related to the site, while 28.9% of the site-related vulnerabilities were cross-site scripting vulnerabilities.
Top 10 vendors with CVSS scoring 9.0 to 10.0 include Google (503 vulnerabilities), SUSE (301), Canonical (285), Red Hat (274), Silent Circle subsidiary SGP (257), Adobe (256), Mozilla (246), Samsung (228), Oracle (201) and Xerox (198).
Top 10 vulnerabilities with CVSSv2 score of 9.0 include Google Pixel / Nexus devices (354 vulnerabilities), Ubuntu (285), SilentOS (257), Red Hat Linux (253), Firefox (246), SUSE Linux Enterprise (226), Samsung Mobile (226), SUSE Linux Enterprise Server System (197), OpenSUSE Leap (196), and FreeFlow Print Server (191).
Last year, at least 44.8% (9,335) of the vulnerabilities were disclosed in conjunction with the vendor, while only 18.6% (3,875) were not co-disclosed. Vulnerability exposures through the vendor or third-party vulnerability rewards account for only 5.9%.
Although most of the disclosure vulnerabilities (72.8%) have introduced updates or some form of the patch, 23.2% of the vulnerabilities currently have no available solution. However, 443 of last year’s reported vulnerabilities were inaccurate disclosures without any risk and no need for any mitigation.
The report also revealed that only 1.7% of SCADA’s products were included in the 2017 report’s vulnerabilities, down from 2.8% in 2016. 52.2% of SCADA vulnerabilities are remotely exploitable, 73.5% have the impact on product integrity, and 61.3% are related to improper input validation.
Vice President of Risk-Based Security Vulnerability Information, said: “The organization tracking and classifying vulnerabilities is not easy in 2017 as this is a record year for vulnerability disclosures. We continue to witness attacks by black businesses and data breaches As your vulnerability intelligence solution does not cover more than 20,000 vulnerabilities disclosed in 2017, your company is bound to face greater risks than ever before.
