Industry Vulnerability Disclosures Trending Up
A vulnerability disclosure, as the term is used in the Microsoft Security Intelligence Report, is the revelation of a software vulnerability to the public at large. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.
The vulnerability disclosure data in the Security Intelligence Report is compiled from vulnerability disclosure data that is published in the National Vulnerability Database (NVD). This database is the US government’s repository of standards-based vulnerability management data. The NVD represents all disclosures that have a published Common Vulnerabilities and Exposures (CVE) identifier.
Industry-wide vulnerability disclosures trending upwards
Figure 1 illustrates the vulnerability disclosure trend across the entire industry since 2011. Between 2011 and the end of 2013 vulnerability disclosure counts ranged from a low of 1,926 in the second half of 2011 to a high of 2,588 in the first half of 2012; there were more than 4,000 vulnerability disclosures across the entire industry each year during this period. For additional context, the peak period for industrywide vulnerability disclosures was 2006-2007 when 6,000 – 7,000 vulnerabilities were disclosed each year. Vulnerability disclosures across the industry in the second half of 2013 (2H13) were up 6.5 percent from the first half of the year, and up 12.6 percent from the second half of 2012.
Not all vulnerabilities are equal – there are differences in severity and access complexity.
Vulnerability severity trends
The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities. The CVSS base metric assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. Vulnerabilities that scored 9.9 or greater represented 6.2 percent of all vulnerabilities disclosed in the second half of 2013. This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Medium severity vulnerability disclosures increased 19.1 percent between the first half and second half of 2013, and accounted for 59.3 percent of total disclosures in the second half of the year. In general, mitigating the most severe vulnerabilities first is a security best practice. Vulnerabilities that scored 9.9 or greater represent 6.2 percent of all vulnerabilities disclosed in the second half of 2013, as Figure 3 illustrates.
This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Vulnerabilities that scored between 7.0 and 9.8 increased to 25.3 percent in the second half of 2013 from 24.4 percent in the first half of the year.
Vulnerability access complexity trends
Some vulnerabilities are easier to exploit than others. This is a characteristic that’s not captured in the aforementioned severity ratings. Vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.
The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Figure 4 shows complexity trends for vulnerabilities disclosed since the first half of 2011 (1H11). Note that Low complexity in Figure 4 indicates greater risk, just as High severity indicates greater risk.
Disclosures of those vulnerabilities that are the easiest to exploit, low-complexity vulnerabilities, accounted for 43.5 percent of all disclosures in the second half of 2013, a decrease from 52.9 percent in the first half of the year. Disclosures of medium-complexity vulnerabilities accounted for 51.9 percent of all disclosures in the second half of 2013, an increase from 41.9 percent in the first half of the year. Disclosures of high-complexity vulnerabilities decreased to 4.6 percent of all disclosures in the second half of 2013, down from 5.3 percent in the first half of the year.
Operating system, browser, and application vulnerabilities
Comparing operating system vulnerabilities to non-operating system vulnerabilities that affect other components requires determining whether a particular program or component should be considered part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems. Some programs (media players, for example) ship by default with some operating system software but can also be downloaded from the software vendor’s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.
To facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds of vulnerabilities:
- Core operating system vulnerabilities are those with at least one operating system product enumeration (“/o”) in the NVD that do not also have any application product enumerations (“/a”).
- Operating system application vulnerabilities are those with at least one /o product enumeration and at least one /a product enumeration listed in the NVD, except as described in the next bullet point.
- Browser vulnerabilities are those that affect components defined as part of a web browser, including web browsers such as Internet Explorer and Apple’s Safari that ship with operating systems, along with third-party browsers such as Mozilla Firefox and Google Chrome.
- Other application vulnerabilities are those with at least one /a product enumeration in the NVD that do not have any /o product enumerations, except as described in the previous bullet point.
- Vulnerabilities in applications other than web browsers and operating system applications increased 34.4 percent in the second half of 2013 (2H13) and accounted for 58.1 percent of total disclosures for the period.
- Operating system vulnerabilities increased 48.1 percent in 2H13, going from last place to second. Overall, operating system vulnerabilities accounted for 17.6 percent of total disclosures for the period. After reaching a high point in 1H13, operating system application vulnerabilities decreased 46.3 percent in 2H13, and accounted for 14.7 percent of total disclosures for the period.
- Browser vulnerability disclosures decreased 28.1 percent in 2H13 and accounted for 9.6 percent of total disclosures for the period.
Microsoft vulnerability disclosures
Microsoft vulnerability disclosures remained mostly stable, increasing from 174 disclosures in 1H13 to 177 in 2H13, an increase of 1.7 percent. The Microsoft percentage of all disclosures across the industry fell slightly over the same period, from 7.3 percent of all industrywide disclosures in 1H13 to 7.0 in 2H13, because of a larger increase in disclosures from other software publishers. This data highlights the importance of keeping all software up-to-date, not just Microsoft software.
Microsoft has been able to maintain relatively low vulnerability disclosure counts by using the Microsoft Security Development Lifecycle (SDL) – a software development methodology and toolset that is mandatory for all Microsoft products and services. In fact, Microsoft’s SDL celebrated its 10 year milestone this year. If you’d like more details on this story, check out an article we recently published called “The Secret of the SDL.”
Another interesting pivot on vulnerability data is examining which vulnerabilities actually get exploited by attackers. Data on exploitation is typically much harder to get than vulnerability disclosure data, which is why many people try to use disclosure counts as a type of proxy for what’s happening in the threat landscape. A recently published study on exploit activity tells us that most vulnerabilities in Microsoft software can’t be exploited, for a number of reasons. I published a series of articles based on this new research, that Microsoft’s Security Science team conducted, on vulnerability exploitation that helps us understand the what, who, when, and how of exploitation.
What vulnerabilities attackers are trying to exploit most often:
Keeping Oracle Java updated continues to be high security ROI
Who exploits vulnerabilities first:
Who Exploits Vulnerabilities: the Path from Disclosure to Mass Market Exploitation
When vulnerabilities get exploited:
When Vulnerabilities are Exploited: the Timing of First Known Exploits for Remote Code Execution Vulnerabilities
How are vulnerabilities being exploited:
How Vulnerabilities are Exploited: the Root Causes of Exploited Remote Code Execution CVEs
Tim Rains
Director
Trustworthy Computing