Publicly disclosed vulnerabilities continue to rise
The first quarter of 2018 has shown a 1.8 percent increase in the number of disclosed vulnerabilities over the same period in 2017, with 5,375 unique vulnerabilities reported.
This is one of the findings of Risk Based Security's latest Vulnerability QuickView Report, which suggests that unless the rate of increase slows down 2018 will be another record year.
More worrying is that 1,790 (33.3 percent) of the vulnerabilities tracked do not have a CVE ID assigned and therefore are not available in NVD and similar databases that solely rely on CVE. 19.7 percent of these vulnerabilities have a CVSSv2 score between 9.0 and 10 putting them in the most severe category.
In addition 32.7 percent of the vulnerabilities have public exploits or sufficient details available to make exploits easy, 49.1 percent of the vulnerabilities are remotely exploitable. The good news is that 74.3 percent of the vulnerabilities have a documented solution such as a proper workaround, patch, or fixed version.
However, that leaves over 1,300 vulnerabilities without patches, which means organizations relying solely on patch management software for remediation are failing to address weaknesses in their infrastructure and applications. Incorporating vulnerability intelligence into an asset management therefore provides an extra line of defense by allowing administrators to identify and implement in-house workaround solutions or compensating controls, until a patch or update becomes available.
"Every year see an incredible number of publicly disclosed vulnerabilities missed by the CVE project, and every year we see thousands of data breaches, some caused by not patching known vulnerabilities," says Brian Martin, vice president of vulnerability intelligence for Risk Based Security. "Organizations that continue to rely on inferior vulnerability intelligence are putting themselves at increased risk of downtime or compromise, which often leads to their customers receiving the brunt of the fallout."
You can get a copy of the full report from the Risk Based Security website.