Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization

  /     /     /  
Publicated : 23/11/2024   Category : security


Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization


The first half of the year saw more than 11,800 reported security vulnerabilities, but figuring out which ones to patch first remains a thankless job for IT teams.



The number of vulnerabilities disclosed in the first half of the year topped 11,800, forcing companies to determine the impact of an average of 90 security issues per weekday.
The numbers are from cybersecurity firm Flashpoints The State of Vulnerability Intelligence — 2022 Midyear Edition report, which notes that the massive number of vulnerabilities reported in the first half of the year highlights the problems facing companies as they try to triage software security issues and determine which software updates to prioritize. 
Without better guidance, organizations attempting to sort through the security issues struggle to separate those that are highly critical from minor vulnerabilities and those that may not affect their environment at all, says Brian Martin, vice president of vulnerability intelligence at Flashpoint.
There are some issues that will have no bearing on any real organization in the world — it might be a vulnerability in some Chinese blog that has seven installs worldwide, Martin says. On the other hand, we do have vulnerabilities in Microsoft products, Google products, Apple products. Stuff that is just as high-profile and concerning as any issue from a Patch Tuesday.
Clouding the issue is the focus put on
zero-day vulnerabilities
, those labeled as discovered in the wild by researchers before a patch is available. These are difficult to collect information on. Googles Project Zero documented 20 such vulnerabilities exploited in the wild in the first half of 2022, while Flashpoint found at least 17 more issues.
Yet the most common attacks usually use known vulnerabilities.
Discovered-in-the-wild vulnerabilities are often used in high-profile breaches or are attributed to Advanced Persistent Threat (APT) attacks, the report states. Due to their nature, organizations often lack defensive options for them. However, business leaders need to keep in mind that discovered-in-the-wild vulnerabilities represent a tiny fraction of compromises occurring around the world.
Organizations also had to deal with a growing number of days with hundreds of reported vulnerabilities because of software vendors regularly scheduled updates. In February, for example, Flashpoint documented 351 issues thanks to releases from
Microsofts Patch Tuesday
and disclosures from other software vendors falling on the same day. In April, a similar convergence of software-vulnerability disclosures saw the highest number of vulnerabilities, 356, released in a single day.
Organizations need to be aware that the vulnerability disclosure landscape is highly volatile, with standard days potentially introducing volumes traditionally seen only on Patch Tuesdays and other similar events, the
Flashpoint report states
.
Snowballing Levels of Vulnerability Disclosures
The report also shows that the number of vulnerabilities disclosed to vendors continues to remain at high levels.
The National Vulnerability Database (NVD) also documented
more than 11,000 flaws assigned
Common Vulnerability and Exposures (CVE) identifiers in the first six months of the year. However, a fraction of those are not true reported vulnerabilities but vendors reserving CVE identifiers for future, or yet-to-be disclosed, vulnerabilities. Flashpoint estimates that its database has details on 27% more vulnerabilities than documented in the NVD.
While various distributions of Linux topped the chart of vulnerable applications — such as SUSE, openSUSE Leap, and Ubuntu — open source–focused companies accounted for only four of the 10 vendors with the highest vulnerability counts in the first half of 2022. Yet high counts are not necessarily a sign of insecurity but are often a sign that the software company has a process in place to detect and remediate issues.
There are many underlying reasons as to why certain products and vendors tend to have high vulnerability counts, such as overall market share, product-specific market share, routine — or lack of — schedule of disclosures, attention from vulnerability researchers, and vendor response/patch time, among others, the Flashpoint report states. Therefore, organizations should not be immediately concerned about well-known vendors having more vulnerabilities, as it could be a sign that they are actively disclosing and patching issues.

Last News

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Security Teams Overwhelmed With Bugs, Bitten by Patch Prioritization