By Chris Goettl
When we reached the midpoint of 2018, we checked in to see how the year was trending. We saw a series of Meltdown and Spectre vulnerabilities causing more headaches than actual threats. We saw vendors who had never made much more than a small splash on the Common Vulnerabilities and Exposures (CVE) scene jump up to be the leaders of the pack. And hardware and firmware updates pushed their way permanently into the vulnerability management scene.
Let’s take a quick look back to identify trends and patterns and see what lessons we can learn. We’ll review what we saw throughout 2018 and also some trends across the last decade. From this we will provide some guidance as to what you should be working toward to make your cybersecurity program successful.
Let’s start at the highest level. 2018 reached a record high for total CVEs identified and resolved. According to CVE Details there were 16,555 CVEs reported and resolved across the industry that year. This was nearly a 300% increase from the 6,447 CVEs resolved in 2016 and was still a large step ahead of the 14,714 CVEs resolved in 2017.
Is the cyber world really that much less secure than only a few years ago? The answer to that question is really yes and no. Yes, there are more technologies and software titles entering the market and with each entry there are more vulnerabilities to be resolved. Any technology will inherently have flaws that can be exploited.
At the same time, you can say that no, the cyber world is not less secure than it was. We are just becoming more disciplined and transparent about the vulnerabilities that exist. What I mean by this is back in 1999 there were 894 CVEs resolved. CVEs were a new concept for the most part. Technology was not yet as well connected and prevalent as it is today. As those early vendors matured their vulnerability disclosure processes, and as threat actors started to ramp up their game, we began an arms race. We have made significant leaps in the past couple of years and we can expect to see even more leaps in CVE resolution in coming years.
Let’s dig in a bit deeper by looking at which vendors were in the top 10 list for vulnerabilities resolved. This count is from CVEDetails.com and shows how many vulnerabilities each vendor resolved and disclosed across all its products.
Household names such as Microsoft, Google and Adobe are represented. There are a lot of Linux-based companies on the list and Qualcomm, who has never appeared on the top 50, suddenly made its debut on the top 10.
This year’s top 10 list prompted me to ask a few questions, such as how does a vendor like Qualcomm, who has had no more than 10 CVEs reported in a single year, suddenly jump to the top 10 list? What’s more, if you look at the top 50 products for 2018, Qualcomm holds 26 of the 50 products by vulnerabilities resolved. The answer is that more vendors are engaging in structured bug bounty programs, active vulnerability testing and proper disclosure. Check out this post from Qualcomm in January.
More vendors are engaging in active vulnerability assessments in their products and interfacing with security practitioners to get more eyes on the problem. There are even vendors that are creating an ecosystem where other vendors can provide rules of engagement and targeted products for security practitioners to focus on. The team over at HackerOne has been around since 2013 and as you can see there are many vendors signing up. They have signed more than 10 new companies so far in 2019. By the way, Qualcomm has a profile on HackerOne. My guess as to how Qualcomm went from 10 or less vulnerabilities to the top 10 list in 2018 is due to the payouts of some of those bounties, including $15k for critical vulnerabilities on their cellular modem technologies.
Another notable trend among the top vendors and products is around Linux. Debian topped the list for 2018, resolving a total of 952 CVEs for the year. Debian had the second highest CVE count resolved by a single vendor in a year, just behind Google’s whopping 1,000 CVEs in 2017. Linux operating systems have been in the top 50 for a long time, but the Linux community is stepping up its game and competing head-to-head with vendors such as Microsoft, Google, Oracle, Apple and Adobe for total number of vulnerabilities resolved. This reinforces the fact that no operating system is secure. Every OS will have vulnerabilities and must be maintained.
A couple other vendors that worked their way onto the list of contenders are Foxitsoftware and Imagemagick. While neither of these companies are significantly large, they have made the 50 vendor list the past two years. Imagemagick hit the top 10 list in 2017 and Foxit was number 12 in 2018. Two important things to note here:
Moving to an alternative software does not improve security. If you left Adobe for Foxit because you were overwhelmed by the number of vulnerabilities on Adobe products, Foxit wasn’t far behind them this year. Their vulnerability program is just maturing now. They will likely be fairly comparable going forward.
Just because an application on your network is limited in its use and is not widely known, does not mean that it has no security vulnerabilities. Imagemagick resolved 357 vulnerabilities in 2017 all in one application, ranking fourth overall for 2017, just behind iPhone OS.
Finally, no year-end review of patch would be complete without looking at the great browser race. While Google Chrome dominated usage, according to Statcounter, Mozilla Firefox nearly doubled their vulnerabilities resolved in 2018. Firefox ranked number seven in the top 50 products list with 333 CVEs resolved. Chrome came in at number 48 with 160 CVEs resolved. Microsoft Edge came in at number 46 with 161 CVEs resolved. Internet Explorer did not make the top 50 this year. Keep in mind that Qualcomm took 26 of 50 spots in the top 50 list. The list would look very different if Qualcomm didn’t have so many devices resolving the same vulnerabilities.
So, what are the patch management lessons learned this year?
As an industry we are becoming more disciplined in identifying and resolving vulnerabilities.
This was debunked in years past, but 2018 serves as a reminder that all OSes — Windows, Mac, Linux, it doesn’t matter — are all vulnerable, so start patching.
Newer software alternatives are not more secure. They are often just less mature in their processes, so even though you don’t see the vulnerabilities, they are still there.
Any software on your network, no matter how small, presents a security risk. Keep all software updated or get rid of it.
It does not matter which browser you use, they are all a target. Threat actors target browsers and file-level attacks for a reason. It is much easier for hackers to socially engineer their way into a system than to force their way through remote attacks. Now when those remotely exploitable opportunities come along they will cash in quickly. Remember WannaCry.
About Chris Goettl
Chris Goettl is director of product management, security at Ivanti. He is a strong industry voice with over 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media.