{"id":3054,"date":"2014-09-03T09:31:00","date_gmt":"2014-09-03T09:31:00","guid":{"rendered":"http:\/\/marcbook.local\/wds\/playground\/cybertrust\/2014\/09\/03\/industry-vulnerability-disclosures-trending-up\/"},"modified":"2023-05-15T23:03:57","modified_gmt":"2023-05-16T06:03:57","slug":"industry-vulnerability-disclosures-trending-up","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2014\/09\/03\/industry-vulnerability-disclosures-trending-up\/","title":{"rendered":"Industry Vulnerability Disclosures Trending Up"},"content":{"rendered":"

A vulnerability disclosure, as the term is used in the Microsoft Security Intelligence Report<\/a>, is the revelation of a software vulnerability to the public at large. Disclosures can come from a variety of sources, including publishers of the affected software, security software vendors, independent security researchers, and even malware creators.<\/p>\n

The vulnerability disclosure data in the Security Intelligence Report is compiled from vulnerability disclosure data that is published in the National Vulnerability Database <\/a>(NVD). This database is the US government\u2019s repository of standards-based vulnerability management data. The NVD represents all disclosures that have a published Common Vulnerabilities and Exposures (CVE) identifier.<\/p>\n

Industry-wide vulnerability disclosures trending upwards<\/strong><\/span>
\nFigure 1 illustrates the vulnerability disclosure trend across the entire industry since 2011. Between 2011 and the end of 2013 vulnerability disclosure counts ranged from a low of 1,926 in the second half of 2011 to a high of 2,588 in the first half of 2012; there were more than 4,000 vulnerability disclosures across the entire industry\u00a0each year during this period. For additional context<\/a>, the peak period for industrywide vulnerability disclosures was 2006-2007 when 6,000 – 7,000 vulnerabilities were disclosed each year. Vulnerability disclosures across the industry in the second half of 2013 (2H13) were up 6.5 percent from the first half of the year, and up 12.6 percent from the second half of 2012.<\/p>\n

Not all vulnerabilities are equal \u2013 there are differences in severity and access complexity.<\/p>\n

Vulnerability severity trends<\/strong><\/span>
\nThe Common Vulnerability Scoring System <\/a>(CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities. The CVSS base metric assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. Vulnerabilities that scored 9.9 or greater represented 6.2 percent of all vulnerabilities disclosed in the second half of 2013. This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Medium severity vulnerability disclosures increased 19.1 percent between the first half and second half of 2013, and accounted for 59.3 percent of total disclosures in the second half of the year. In general, mitigating the most severe vulnerabilities first is a security best practice. Vulnerabilities that scored 9.9 or greater represent 6.2 percent of all vulnerabilities disclosed in the second half of 2013, as Figure 3 illustrates.<\/p>\n

This percentage represents a significant decrease from the first half of the year, when vulnerabilities that scored 9.9 or greater accounted for 12.4 percent of all vulnerabilities. Vulnerabilities that scored between 7.0 and 9.8 increased to 25.3 percent in the second half of 2013 from 24.4 percent in the first half of the year.<\/p>\n

Vulnerability access complexity trends
\n<\/strong><\/span>Some vulnerabilities are easier to exploit than others. This is a characteristic that\u2019s not captured in the aforementioned severity ratings. Vulnerability complexity is an important factor to consider in determining the magnitude of the threat that a vulnerability poses. A high-severity vulnerability that can only be exploited under very specific and rare circumstances might require less immediate attention than a lower-severity vulnerability that can be exploited more easily.<\/p>\n

The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Figure 4 shows complexity trends for vulnerabilities disclosed since the first half of 2011 (1H11). Note that Low complexity in Figure 4 indicates greater risk, just as High severity indicates greater risk.<\/p>\n

Disclosures of those vulnerabilities that are the easiest to exploit, low-complexity vulnerabilities, accounted for 43.5 percent of all disclosures in the second half of 2013, a decrease from 52.9 percent in the first half of the year. Disclosures of medium-complexity vulnerabilities accounted for 51.9 percent of all disclosures in the second half of 2013, an increase from 41.9 percent in the first half of the year. Disclosures of high-complexity vulnerabilities decreased to 4.6 percent of all disclosures in the second half of 2013, down from 5.3 percent in the first half of the year.<\/p>\n

Operating system, browser, and application vulnerabilities
\n<\/strong><\/span>Comparing operating system vulnerabilities to non-operating system vulnerabilities that affect other components requires determining whether a particular program or component should be considered part of an operating system. This determination is not always simple and straightforward, given the componentized nature of modern operating systems. Some programs (media players, for example) ship by default with some operating system software but can also be downloaded from the software vendor\u2019s website and installed individually. Linux distributions, in particular, are often assembled from components developed by different teams, many of which provide crucial operating functions such as a graphical user interface (GUI) or Internet browsing.<\/p>\n

To facilitate analysis of operating system and browser vulnerabilities, the Microsoft Security Intelligence Report distinguishes among four different kinds of vulnerabilities:<\/p>\n