2020 vulnerabilities expected to exceed last year's
With 11,121 vulnerabilities disclosed during the first half of 2020, as the year progresses the total is expected to exceed that of 2019.
Although the number of vulnerabilities disclosed in the first half of 2020 decreased by 8.2 percent compared to the same period in 2019 due to the impact of COVID-19, but the Q2 vulnerability report from Risk Based Security does suggest some signs of a return to 'normal' levels.
Out of the vulnerabilities aggregated during the mid year, 818 were the result of the 'Vulnerability Fujiwhara Effect', a term adopted by Risk Based Security to describe the events when Microsoft and Oracle vulnerability disclosure schedules collide.
"Risk Based Security sounded the alarm back in January. We knew that these events would undoubtedly become a significant strain for IT staff and Vulnerability Managers," says Brian Martin, vice president of vulnerability intelligence at Risk Based Security. "Compared to other Patch Tuesdays this year, the highest reported 'only' 273 new vulnerabilities. However, during April's Fujiwhara event we saw 506 new vulnerabilities reported, 79 percent of which came from seven vendors. Unfortunately for all of us, this is likely we can expect to occur more frequently in the future. The sheer volume makes one wonder who actually benefits from this all-at-once disclosure of vulnerabilities. Certainly not the paying customers."
The report lists and breaks down the vendors and products with the highest vulnerability counts. Most notable is Microsoft, which has seen a 150 percent increase in the amount of vulnerabilities disclosed during the first six months of 2020 compared to the entirety of 2019. Windows 10 is the product with the most disclosed vulnerabilities by the end of Q2.
Also worrying is that of the vulnerabilities disclosed during the first half of 2020, 30 percent don’t have a CVE ID and an additional three percent, while having a CVE ID assigned, are in Reserved status which means that no information about the vulnerability is yet available. Given the sheer amount of vulnerabilities disclosed in the recent Vulnerability Fujiwhara Effect on April 14, organizations relying on CVE/NVD will struggle to find timely and actionable intelligence.
"Given the sheer amount of vulnerabilities disclosed, organizations relying on CVE/NVD will struggle to find timely and actionable intelligence," Martin concludes. "The bare minimum metadata found within NVD is not enough for organizations to properly prioritize and remediate. Organizations are increasing their own risk by relying on CVE to provide complete and timely data. The current level of vulnerability disclosures organizations face on a daily basis are more than CVE can handle, and it will only get worse."
The full report is available from the Risk Based Security site.