2020 is shaping up to be a banner year for software vulnerabilities, leaving security professionals drowning in a veritable sea of patching, reporting and looming attacks, many of which they can’t even see.
A trio of recent reports tracking software vulnerabilities over the past year underscore the challenges of patch management and keeping attacks at bay.
“Based on vulnerability data, the state of software security remains pretty dismal,” Brian Martin, vice president of vulnerability intelligence with Risk Based Security (RBS), told Threatpost.
The year didn’t start out that way. The VulnDB team at RBS saw a massive drop in disclosures during the first three quarters of 2020. Then COVID-19 hit, creating a juicy opportunity for malicious actors to exploit the chaos.
“At the end of Q1 this year, we saw what appeared to be a sharp decline in vulnerability disclosures as compared to 2019, dropping by 19.2 percent,” Martin wrote in the third-quarter report. “Statistically that is huge. However, as 2020 continues, we are starting to see just how large an impact the pandemic has had on vulnerability disclosures.”
Software Vuln Perfect Storm
Now, RBS reported that the number of vulnerabilities disclosed will possibly exceed 2019’s numbers, but as the year comes to a close, there’s still much uncertainty about the impact COVID will have into 2021.
“With the pandemic seeing a resurgence in most of the world even as we enter the holiday season, it is difficult to predict the exact influence COVID-19 will have on the vulnerability-disclosure landscape,” the RBS report concluded.
Prior to the pandemic, IT teams were already under tremendous pressure to keep up with patching due to what RBS has dubbed “vulnerability Fujiwara events.” The term “Fujiwara,” according to RBS researchers, describes the confluence of two hurricanes, which they liken to days like Jan. 14, April 14 and July 14 this year, when 13 major vendors, including Microsoft and Oracle, all released patches at the same time. RBS said these three vulnerability Fujiwara events in 2020 put massive stress on security teams.
Meanwhile some major vendors’ regular Patch Tuesday events are starting to create a type of rolling Vulnerability Fujiwara Effect year-round, RBS added, since the number of patches for each of them have ramped up. With December’s Patch Tuesday, for instance, Microsoft’s patch tally totals 1,250 for the year – well beyond 2019’s 840.
In fact, Microsoft and Oracle lead the Top 50 vendors in the number of reported security vulnerabilities, according to the latest analysis from Comparitech.
Security researchers looked at CVE details across the Top 50 software vendors and found that since 1999, Microsoft is the hands-down leader with 6,700 reported, followed by Oracle with 5,500 and IBM with 4,600.
“New software is being released at a faster rate than old software is being deprecated or discontinued,” Comparitech’s Paul Bischoff told Threatpost. “Given that, I think more software vulnerabilities are inevitable. Most of those vulnerabilities are identified and patched before they’re ever exploited in the wild, but more zero days are inevitable as well. Zero days are a much bigger concern than vulnerabilities in general.”
Online v. Desktop Software Vulnerabilities
The real growth area in software security flaws has been in third-party online software, according to Cyberpion, which has developed a tool to evaluate security holes in entire online ecosystems. Their findings include the startling statistic that 83 percent of the Top 30 U.S. retailers have vulnerabilities which pose an “imminent” cyber-threat, including Amazon, Costco, Kroger and Walmart.
“Software developed for the desktop is fundamentally different than software developed for online,” Cyberpion’s CRO Ran Nahmias told Threatpost. “Desktop software code needs to be secured against a virus for rewriting the code (and the attack occurs on one desktop at a time). Online software has a strong dependency on the infrastructure that hosts, operates and distributes it.
This creates a massive attack surface, including not just the code itself, but the infrastructure behind it.
“These online infrastructures can get complex, and one misconfiguration anywhere could lead to the code being compromised or modified,” Nahmias said. “Additionally, because the software is centrally located and then serves many customers, a single breach can affect many companies and people (as opposed to the desktop software being infected by a virus which would impact one user).”
What organizations really need to guard their systems appropriately is well-trained professionals. Unfortunately, as Bischoff added, they are in increasingly short supply.
“Aside from the increasing volume of software, the lack of qualified cybersecurity staff contributes to the rise in software vulnerabilities,” he said. “In almost every sector of the economy, cybersecurity personnel are in high demand.”
Meanwhile, software bugs aren’t going anywhere.
“Despite more organizations taking secure development more seriously, and despite more tools available to help find and eliminate vulnerabilities, the amount of disclosed vulnerabilities suggest it hasn’t tipped the scale yet,” Martin added. “We’re hopeful that as more and more news of organizations being breached are taken seriously, and organizations and developers better understand the severity of vulnerable code, that they will make the extra effort to ensure more auditing is done before releasing [software].”
Put Ransomware on the Run: Save your spot for “What’s Next for Ransomware,” a FREE Threatpost webinar on Dec. 16 at 2 p.m. ET. Find out what’s coming in the ransomware world and how to fight back.
Get the latest from John (Austin) Merritt, Cyber Threat Intelligence Analyst at Digital Shadows, Israel Barak, CISO at Cybereason and Limor Kessem, Executive Security Advisor at IBM Security on new kinds of attacks. Topics will include the most dangerous ransomware threat actors, their evolving TTPs and what your organization needs to do to get ahead of the next, inevitable ransomware attack. Register here for the Wed., Dec. 16 for this LIVE webinar.