July reported more advisories than June’s sudden dip. (the first half year was a continued monthly increase until June)
The Log4j vulnerability is still being detected/reported by vendors after almost 8 months:
IBM Operations Analytics
IBM Tivoli Network IP Edition
IBM Enterprise Content Management System Monitor
The trend that we’ve seen for the last few months with hackers focusing on the Low and Medium Vulnerabilities has increased again ( with May being an exception). These Moderate and Less Critical Vulnerabilities are normally not a priority for many organizations, but please make sure you include Threat Intelligence in your Software Vulnerability Management Process to improve your prioritization.
Important conclusions from this month's report are:
2 extreme critical advisories were reported ( Google Chrome and Microsoft Edge are both also Zero-day)
8 Zero-Day Advisory reported ( 6x Microsoft OS, 1x Google Chrome, 1x Microsoft Edge)
Over 2,645 CVEs were covered in the 548 Advisories which is more than double from last month. (1,281)
Threat Intelligence indicates that more Medium and Low Vulnerabilities are targeted by hackers.
Most vulnerabilities (57.34%) are disclosed by IBM, SUSE, Ubuntu (Canonical), Oracle, and Amazon. (Red Hat this month outside the top 5 / top +50%)
Last month we reported that 62.60% of all Secunia Advisories had a Threat ( exploits, malware, ransomware, etc.) associated with them, this month the number has been slightly lower to 64.23%↓ , with an increase in the lower and medium criticality range.
Using Threat Intelligence is going to help you with prioritizing what needs to be patched immediately.
Software Vulnerability – and Patch Management is becoming more and more important. Due to the ongoing Russia-Ukraine conflict, attacks on critical infrastructures in many countries are increasing. Back in 2019 (just before Covid) patching was recommended within 30 days (or 14 days for a CVSS score of 7 or higher)
Right now, hackers are able to deploy exploits within 1 week and even within 24 hours. This means that organizations need to prioritize even better to quickly patch vulnerabilities (especially the ones with threats associated with them)