Vulnerabilities: a never ending story
Vulnerabilities in software are one of the most important attack vectors for hackers. Unpatched software has been responsible for dozens of large-scale and unfortunately successful attacks in the past. WannaCry, based on the EternalBlue exploit, is one of the best-known examples. Petya/NotPetya and the Retefe exploit the same vulnerability, while Intel had to announce a disastrous vulnerability in its ME management platform at the end of 2017. Clearly, vulnerabilities are very bad news indeed. This makes the study by software company Flexera all the more dramatic. Flexera owns Secunia, one of the first companies to offer automated patching solutions. Patching is the best remedy against vulnerabilities, unfortunately comprehensive, zero-error, timely patching is practically impossible. In Flexera’s Vulnerability Review 2018 – Global Trends, the number of documented vulnerabilities increased last year by 14% to 19,954. In 2016, there were 17,147 software vulnerabilities. Over the last five years, the number has risen by 38%.
However – and there is a faint glimmer of hope here – patches were released for the majority of vulnerabilities (86%) , within 24 hours of becoming known. This represents an increase of 5% and is very encouraging given the sharp increase in absolute numbers of vulnerabilities. Even more pleasing is that last year there were only 14 zero day vulnerabilities (2016: 23). Zero days vulnerabilities are exploited before their official discovery, so there are no technical defenses against them. Of course, we should approach these figures with due caution. No one can guarantee that there is not a vast selection of zero-day vulnerabilities which have not yet been discovered by Flexera or anyone else.
A further unpleasant discovery is that remote networks were identified as the primary starting point (55%) of the attacks. Remote does not necessarily mean a network connection via dial-up or a gateway. Flexera defines remote as "non-local", including connections via HTTP/S, SSL, or any other protocol that does not originate on the local network or system. It is impossible to prevent a web server from being accessible from the Internet. But the existence of so many web servers that have exploitable vulnerabilities should make us think. Patching should be high on the list of priorities for administrators. Protective measures for all authorized connections are of little help if a gaping back door has been left open through a vulnerability. All systems that can be reached from the outside must be watertight in this respect.
VPN connections at the gateway are also accessible from the outside and must therefore receive the same attention. It is important to be able to rely on a responsible vendor who regularly checks their software and patches any errors and vulnerabilities that are discovered as quickly as possible. If there is a zero-day incident, it is important that attackers cannot attack further network destinations from the VPN gateway. All accessible accounts must have low privileges, user names and passwords must not be used on other systems, and log data must be stored on remote systems where the attacker cannot manipulate them.
Overall, the increasing number of patches available within 24 hours shows that the industry takes its responsibilities seriously and has adapted its processes and communication strategies. 86% is a positive figure, if improvements continue at this rate, vulnerabilities will pose less of a risk overall. It is possible to achieve this if companies implement automated and zero-error patching for at least externally accessible systems. Manufacturers will be hearing questions more frequently in the future about their patch strategy and the lifecycles and guaranteed life of their products.