Cyberthreat intelligence company Flashpoint said in a report issued this week that it detected a total of 11,860 vulnerabilities in the first half of 2022, with almost a third of them missed or not detailed by the public MITRE CVE (Common Vulnerabilities and Exposures) database.
The report, “State of Vulnerability Intelligence,” includes disclosures—security vulnerabilities in hardware and software products reported by vendors and cybersecurity experts—collected by Flashpoint’s in-house vulnerability intelligence database, VulnDB.
Flashpoint said that there were huge discrepancies in the severity and classification of vulnerabilities reported by VulnDB, and those recorded in MITRE’s CVE database and the NVD database maintained by NIST (the US National Institute of Standards and Technology). NIST and MITRE coordinate their finding and report similar vulnerabilities. Flashpoint cautioned organizations to depend on more comprehensive and specific sources for a clear underatanding of the vulnerability landscape.
Flashpoint: MITRE CVE misses vulnerabilities
Flashpoint claimed that 20.7% of the vulnerabilities reported by VulnDB did not have CVE IDs, indicating a lapse by the public MITRE database. Additionally, 6.6% of them were found to be recorded under the Reserved section of CVE, which include disclosures that MITRE assigned IDs to, without respective details.
“Comparing Flashpoint’s VulnDB coverage to MITRE and NIST, CVE / NVD failed to report and detail 27.3 % of all known disclosed vulnerabilities in the first half of 2022,” the report said.
Additionally, the report highlighted that CVSS (Common Vulnerability Scoring System) scoring guidelines dictate scoring “for the worst” if details involving any of the considered metrics are unclear. CVSS metrics include Access Vector, Access Complexity, and a vulnerability’s impact on authentication, confidentiality, integrity, and availability.
Flashpoint said that while this methodology is done to ensure scoring is not too low, it ends up assigning an undue 10.0 to many vulnerabilities—and that these account for an average of 51.5 % of all vulnerabilities rated as 10 during each of the last 10 years.
Flashpoint’s analysis put 2,081 of the total vulnerabilities it found into a “sweet spot”— they have a public exploit and are remotely exploitable, but are easily patchable. These, it added, can be prioritized while remediating, and the efficiency achieved as a result can reduce the workload on security teams by 82%.
The report also revealed that, during the first half of the year, Flashpoint identified approximately 40% more “discovered in the wild” vulnerabilities than Google’s popular Project Zero. These vulnerabilities are important because they include issues in both commonly used software as well as developing technologies such as blockchain, Flashpoint said.
SUSE tops list for vulnerability disclosures
The first half of the year saw a significant amount of vulnerability disclosures reported for products from SUSE, SPI, Microsoft, and Google, with 735, 712, 677, and 573 vulnerabilities respectively, according to VulnDB. SUSE had six products in the list of top 10 products that had the most disclosures for the period.
The highest number of disclosures were revealed on “Patch Tuesdays,” Flashpoint said. Patch Tuesdays refer to the second Tuesday of the month, when most of the critical security updates by companies including Microsoft, Adobe, and Oracle are released. They account for six of the 10 most active days, in terms of vulnerability disclosures. Other highly active event days included Oracle’s quarterly CPU update, and software updates from companies including Bentley, Cisco, and Juniper. However, other days, or “standard” days, are seeing an increasing number of disclosures, Flashpoint said.
VulnDB recorded fewer vulnerability disclosures compared to the 12,160 for the first half of last year. The report noted, however, that the modest start for 2022 reported by VulnDB is expected to pick up in the second half of the year. This is due to a possibly large number of backfillings, which refer to late entries for vulnerabilities that have been reported but not yet included in the VulnDB database because they have not been thoroughly researched yet.
Response time more important than total vulnerabilities
According to Flashpoint, it is important that business leaders do not interpret vulnerability totals as a positive or negative indicator of a vendor’s security posture. To explain, Flashpoint revealed an in-house collection of metadata it calls “Vulnerability Timeline and Exposure Metrics (VTEM)” that can demonstrate details such as the average time taken by a vendor to respond to a security vulnerability with a patch, and the estimated time before an exploit is available.
By comparing the two indicators, the report added, security teams can better evaluate and make decisions. For instance, it noted that Microsoft has a better response time (patches within a month) than many other vendors, despite having a huge number of disclosures.