The Staggering Growth in Vulnerability Disclosures, 2010 – 2018
With the end of the year, it’s prime time to reflect on vulnerability trends since the start of the decade.
According to CVE Details at the time of writing this post, at least 15,534 vulnerabilities have been reported so far this year, which is more than double for all of 2016 (6447 vulnerabilities) and surpasses last year’s total of 14,714. The increase in vulnerabilities parallels the growth and diversity of enterprise software being deployed by organizations today and the potential profitability of increased cybercrime activities. With the sheer volume of vulnerabilities as large as it is, chasing their remediation is unfeasible, ineffective, and completely misses the fact that all vulnerabilities need not be fixed.
Here’s a breakdown the total number of disclosed vulnerabilities since 2010:
Besides the obvious jump in vulnerabilities from 2016 to 2017, these numbers have no context whatsoever. So we’re taking a closer look at the most vulnerable applications and vendors each year, including the number of critical and high severity vulnerabilities¹ for the year, and some notable vulnerabilities and exploits.
Microsoft is the most vulnerable vendor with 736 vulnerabilities, with Microsoft Office and Windows Server 2003 as favorite targets. Apple came in second at 461 including their Safari web browser, as many of the top vulnerable applications in 2010 were web browsers. The number of critical and high severity vulnerabilities in 2010 was quite high at 45% of the total vulnerabilities for the year, and as applications start moving to the web, browsers begin to be a favorite target.
In 2011, Microsoft continued to be the top target with 705 vulnerabilities, followed by Apple and Google with 437 and 291 respectively. The popularity of Google Chrome in 2011 makes it a favorite target, earning the ‘top spot’ as the most vulnerable application or operating system with 266 vulnerabilities. The percentage of critical and high severity vulnerabilities drops slightly to 43.8%. Interestingly, the top 10 vendors accounted for 50% of all vulnerabilities.
As applications continued to move to the web, Mozilla emerged as a new top platform, with 683 vulnerabilities. And Google Chrome remains the most vulnerable with 249 vulnerabilities. The percentage of critical and high severity vulnerabilities drops significantly to 33.4%. The virtualization market really started to grow in 2012, so it was no surprise to see VMware ESX/ESXi appear on the radar.
Oracle cracks a spot in the top 3 vendors for the first time with 540 vulnerabilities, but not as many as Microsoft (738) and Mozilla (557). One of Oracle’s primary products, Java, had nearly 200 vulnerabilities alone and appears in the most vulnerable applications list at number two (Linux Kernel – 189, Java Runtime – 180, Oracle JDK – 180). Third-party applications, particularly web browsers dominate the percentage of vulnerabilities. Just like 2012, 33.4% of total vulnerabilities for the year were critical and high severity.
Microsoft leads once again in 2014 with 524 vulnerabilities, most due to Internet Explorer as it is also the most vulnerable application for the year. Oracle comes in second with 522 vulnerabilities and is still dogged by issues with Java. The top vulnerable applications are all web browsers as they continue to be increasingly used for access to server applications which makes them a high value target. Critical and high severity vulnerabilities drop even further to 24.1% of all vulnerabilities. The sharp increase in vulnerabilities led the maintainers of the CVE database to increase the CVE syntax to allow up to 10 million vulnerabilities each year.
Jumping into the thousands, 2015 sees a huge spike in vulnerabilities with Adobe (1588), Microsoft (1446), and Apple (1265). Interestingly, where Adobe only makes applications while Microsoft and Apple make both applications and operating systems, Adobe still has the most vulnerabilities. Critical and high severity vulnerabilities for 2015 jump back up to 37% of all vulnerabilities.
Adobe continues to be plagued with issues in 2016 and remains the vendor with the most vulnerabilities with 1382, followed by Microsoft (1325), and Google (695). Google Android tops the list for applications and operating systems with 523 vulnerabilities, with many of them quite severe. Critical and high severity vulnerabilities trends upward to 38.3%. Microsoft had the largest share of the OS market and made big strides into making Windows 10 the most secure Windows to date.
2017 saw a huge spike in the number of vulnerability disclosures- more than doubling to 14,4714. Following Microsoft (1954) and Apple (1398), Google had the third highest amount of vulnerabilities (995), with 842 of these being from Android. Despite the percentage of critical and high severity vulnerabilities declining to 29.3%, the sheer volume of disclosures was a nightmare for security teams, with SQL injections quintupling and XSS vulnerabilities tripling when compared to 2016.
Finally 2018. This year has already surpassed the amount of vulnerabilities disclosed in 2017, reaching a total of 14,760 vulnerabilities (at the time of writing). This year’s list of most vulnerable vendors is particularly interesting because chipmaker Qualcomm tops the list with a whopping 4533, followed by Red Hat with 1227, and then Microsoft with 824. To date, critical and high severity vulnerabilities for 2018 are around 23% of all disclosures. The appearance of RedHat on the list is an indication that Open Source applications could see an even larger growth in severe vulnerabilities in 2019.
Long gone are the days of remediating every single vulnerability. Going with a risk-based approach to vulnerability management coupled with vulnerability remediation prioritization should be, for the coming year, the top agenda item for organizations.
¹ Note that the percentages of critical and high severity vulnerabilities is calculated by taking the total number of critical and high severity vulnerabilities of the year (CVSS >= 7) and dividing it by the total number of vulnerabilities for the year.