A record-breaking number of 20,832 vulnerabilities have been discovered in 2017 but only 12,932 of these received an official CVE identifier last year, a Risk Based Security (RBS) report reveals.
This means that 7,900 security bugs remained without a CVE-2017-XXXXX number, and were left off the databases of many security scanners because of it.
Furthermore, this also means that many security bugs remained buried on forums and personal blogs —places where attackers might have the time to scout, but where many IT security departments will never look.
This isn't the first time that MITRE’s Common Vulnerability Enumeration (CVE) and the DHS' National Vulnerability Database (NVD) have fallen short of identifying and categorizing all security flaws during a year, something that's becoming of a habit for the two organizations this past decade.
The reasons are plenty, but one of them is the explosion of security bugs in IoT devices, which has made it harder for Mitre and NVD staffs to keep up with all the bugs.
Furthermore, almost 7,000 2917 vulnerabilities received a RESERVED CVE status, with no public details available, despite 1,342 of them having a public disclosure. "This seems to indicate that MITRE is more focused on assigning and increasing the number of IDs, and not ensuring the quality of data," RBS experts concluded.
CVE-2010-0109 opened up today, covering an issue disclosed on 2010-02-25. (2917 days to open)
— Sciuridae Hero (@attritionorg) February 19, 2018
MITRE is perpetually behind, and that is one recent example of just how bad the problem is.
— Sciuridae Hero (@attritionorg) February 19, 2018
These are just some of the many statistics included in the 2017 Year End VulnDB QuickView report from Risk Based Security. While our readers can learn plenty by reading the entire 20-page report, we summarized the main findings below, in case not all our visitors have the time to skim through the research:
⛔ 39.3% of all vulnerabilities received a CVSSv2 score of 7 or higher.
⛔ 44.5% of vulnerabilities that did not receive a CVE had a CVSSv2 score of 7 or higher.
⛔ 44.8% of all vulnerabilities went through coordinated disclosure with the vendor.
⛔ 5.9% of 2017 vulnerabilities were reported through bug bounty programs.
⛔ Twelve companies accounted for 54.25% of all security bugs.
⛔ Web-related vulnerabilities accounted for 50.6% of all flaws.
⛔ 31.5% of 2017 vulnerabilities have public exploits.
⛔ 48.5% of 2017 vulnerabilities can be exploited remotely.
⛔ 24.1% of 2017 vulnerabilities have not received a patch.
⛔ Cross-Site Scripting (XSS) was the most encountered security bug (28.9%).
⛔ Google products were affected by 503 bugs with a CVSSv2 score of above 9.
⛔ Google Pixel/Nexus devices were affected by 354 bugs with a CVSSv2 score of above 9.
⛔ Half of all the cryptocurrency flaws tracked by RBS were reported in 2017 (60 out of 121).
⛔ 18.77% of vulnerabilities not found in CVE/NVD are scored as
Critical Risk, (9.0 –10).
⛔ Google products amount for most bugs not included in CVE/NVD (125), followed by Trend Micro (70), SAP (57), Open Source Geospatial (48), and Jenkins CI (31).
⛔ Chrome OS is the top product when it comes to vulnerabilities without a CVE/NVD identifier (88).
But Risk Based Security's work wasn't limited to analyzing the 2017 vulnerability landscape alone. The company also published the 2017 Year End Data Breach QuickView report, in which it took a look at the overall state of data breach reporting.
Just like its report on 2017's vulnerabilities, 2017 also saw a record-breaking number of security incidents, with 5,207 data breaches that exposed a whopping 7.89 billion user records, both 20% and 24.2% increases over the previous high mark set in 2015 and 2016, respectively. This report's main findings are below:
⛔ 40% of 2017's breaches could not be tracked to their source.
⛔ Web-based unintentional exposure was the leading cause for most of 2017's exposed records (68.7%), but barely accounted for 5% of all breaches.
⛔ Most breaches occurred because of hacking (55.8% of incidents).
⛔ 89 breaches leaked over 1 million records in 2017.
⛔ 2017 finished with 8 breaches on the Top 20 List of All Time Largest Breaches.
⛔ Despite more breaches –and more large breaches– taking place in 2017, nearly 60% of incidents exposed between 1 and 10,000 records.
Comments
Occasional - 6 years ago
Good job CC - the numbers really jump out at you (and if the numbers don't, the graphs should). Especially troubling is the gap between reported and documented vulnerabilities. As you point out: attackers can process tons of low yield ore, in order to find just a few nuggets that will pay off for them. That makes it an asymmetrical conflict.
Big numbers without context don't tell you much; but the context, as laid out, should be clear to anyone taking a serious look at cybersecurity issues.
Well worth a closer read.
GT500 - 6 years ago
Just because someone reports something as a security vulnerability, doesn't mean that it actually is.
For instance, I remember a guy who was testing software on Windows XP 2 years ago looking for vulnerabilities, however he didn't have any Service Packs installed and he was reporting issues to software development companies that were fixed by Microsoft in updates to Windows XP... And he was testing old software that hadn't been updated for years...