373 advisories for 62 unique vendors in 310 products and 390 unique versions, while issued 84 rejected advisories. Secunia Research helps Security teams cut the clutters in the noisy vulnerability space.
A zero-day vulnerability in Google Chrome was reported on February 24th.
IBM was the top vendor with most vulnerabilities in Tivoli, WebSphere, DB2, and Java - among others.
Microsoft slipped back to the top 10 vendors with most advisories.
Linux-based Operating systems were once again among the top Operating systems with most advisories.
7 instances of Trident Exploit exploiting vulnerabilities in Remote Desktop of Microsoft Operating Systems.
There are many misconceptions of Zero-day definition in the security industry. The most widely accepted and used by Secunia Research is “the vulnerability that is being actively exploited on or before the day of its public disclosure.” A patch may or may not exist on the day of its discourse.
A zero-day vulnerability in Google Chrome was disclosed on February 24th which is after three days of another patch. The patch for this vulnerability was available on the day of its public disclosure.
The patch for the Zero-day is 80.0.3987.122 while there has been another advisory for Google Chrome, so the latest patch version for Google Chrome is 80.0.3987.132 (at the time of publication).
5 being the highest criticality, the below graph shows the average criticality per vendor, which is sorted based on the number of advisories.
Secunia Research at Flexera categories the severity of vulnerabilities into five criticalities ranging from Extremely to Not Critical. It helps executives, system administrators, and Non-security people to quickly understand the gravity of issues.
If we remove Rejected advisories, then the criticality spread looks like as shown below.
57.9% of vulnerabilities can be exploited from remote, which makes the remediation efforts even more critical.
A CVSS score is a metric that is used to measure the severity of a vulnerability. It takes into account the attack vector, complexity of exploit, and if the user interaction is required, and its impacts if it is successfully exploited.
CVSSv3 provides insights into the level of severity and criticality. It includes Base Score metrics, temporal score, and Environmental Score. Some parameters are constants and provided by Secunia Research, but some can be changed according to each organization’s needs and sensitivity of the affected asset.
Here we rank the Vendors and average of CVSS scores for the vulnerabilities reported in their relevant advisories.
87% of vulnerabilities had a vendor patch available, while only 3.2% had no fix while the same amount had a vendor suggested workaround.
Security teams have completing priorities, so patching or remediating everything is not possible. CSO/CISO have to make informed decision to prioritize the vulnerabilities and their limited resources based on risk. A detailed threat score helps security professionals to make the right decision when faced with multiple vulnerabilities at the same time.
5 instances of Fallout Exploit Kit with CVE CVE-2019-11135 in Oracle, Red hat Linux, SUSE and CentOS.
4 instances of Trident Exploit in Microsoft Windows Operating systems’ Remote Desktop exploiting vulnerability CVE-2020-0655 and 3 occurrences in CVE-2020-0660
3 instances of MyKings Botnet malware that can exploit CVE-2019-12418 in Avaya Call management system, Oracle Solaris, and Macfee Web Gateway. CVE-2019-12418
3 instances of Mdrop Trojenhorse affecting Red Hat and Oracle Linux Kernal. CVE-2019-17666
1 instance Satan malware exploiting CVE-2018-20843 affecting IBM Security Site Protector 3.x.
1 instance of Wcry Ransomeware is exploiting CVE-2020-0618 in Microsoft SQL Server 2012, 2014, and 2018.
Update and install the Operating System patches regardless if it is Linux/Unix based system or a Microsoft Operating system. Browsers are the most prevalent software with extreme exposure to malicious resources. Browsers should be kept up-to-date, and remediation efforts shouldn’t be delayed for monthly patch cycles. Deploy the updates, upgrades, and patches where and when available where required.
A comprehensive information system is required, which can help to prioritize remediation based on the actual risk and exploit vector. A complete list of vulnerabilities affected versions, criticality, threat score, and relevant patch information are available in the Software Vulnerability Research and Software Vulnerability Manager solutions from Flexera.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.