Vulnerabilities are one of the elements frequently identified in security incidents and, together with other threats like exploits and malware, constitute a latent risk. In 2017, the number of vulnerabilities reported reached its historic peak, smashing records set in previous years. Not only that, but the number of vulnerabilities identified as critical also reached a peak in the year just ended.
The number of vulnerabilities reported increased in the past year
In 2017, the number of vulnerabilities smashed records set in previous years. According to CVE Details, more than 14,600 vulnerabilities were reported in 2017, compared to 6,447 in 2016. The total has more than doubled since 2016, amounting to an increase of 120% from one year to the next.
It is important to point out that the increase could actually be even higher than this, as these records do not include zero-day vulnerabilities, which are used “in the wild”, without the knowledge of manufacturers or users.
Looking at the results of these records, it is also worth pointing out that in 2017 an average of 40 vulnerabilities were reported per day, versus 17 vulnerabilities recorded per day in 2016.
High and critical severity vulnerabilities are also increasing
The severity of vulnerabilities is determined on the basis of various factors, such as their impact on the confidentiality, integrity or availability of data, as well as which attack vector is used, the complexity of the attack, the privileges required, or any interaction with the user. Working this out requires a system for calculating the negative effects.
The Common Vulnerability Score System (CVSS) is a scoring system designed to provide an open, standardized method for assessing the impact of vulnerabilities, and is hence used to quantify their severity. Currently, two versions of this system are in use: CVSS v2.0 and CVSS v3.0.
40 vulnerabilities reported per day on average in 2017
In both cases, the scoring system incorporates three groups of metrics used to calculate the score. The first group, called the base group, represents the intrinsic qualities of the vulnerability, in other words, those which are inherent to it.
The second group, known as the temporal group, reflects the characteristics that change over time. And lastly, the group of environmental metrics takes into account the characteristics of a vulnerability that are unique to the context of the user carrying out the assessment.
After assigning values to the base metrics, the formula results in a score between 0.0 and 10.0, which represents the severity of the vulnerability in question. In CVSS v2.0, there are three categories: Low when the score is between 0.0 and 3.9; Medium if it is between 4.0 and 6.9; and High when the result falls between 7.0 and 10.0.
For CVSS v3.0, there are five categories: None (0.0), Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9) and Critical (9.0–10.0).
Based on these severity classifications, it is worth highlighting that in 2017 the increase in vulnerabilities considered as high in CVSS v2.0, and as critical in CVSS v3.0, also increased considerably, according to the National Vulnerability Database (NVD).
Vulnerabilities considered as critical in CVSS v3.0 also grew significantly over the last 5 years, increasing from 0 (zero) recorded in 2013, to 2,070 by the end of last year, practically double the amount recorded in 2016.
As for vulnerabilities considered as high in CVSS v2.0, the level of growth has also been considerable, increasing from 2,470 in 2016 to more than 4,100 by the end of 2017. That represents an increase of more than 60%.
In the data shown above we can see a major increase in the number of vulnerabilities reported in recent months, together with an additional increase in those considered as high and critical. All in all, we can declare 2017 the year of vulnerabilities.
written by Miguel Angel Mendoza, ESET We Live Security