25% of Known Computer Security Vulnerabilities Have No Fix

Paul Ausick

In the first half of 2018, analysts at computer security firm Risk Based Security (RBS) published 10,644 flaws in a computer system (known as vulnerabilities) that could be exploited by a hacker to take unauthorized actions within the system. Of the total number of vulnerabilities, there is no known solution for 25.6%.

Half the reported vulnerabilities can be exploited remotely and nearly a third (32.1%) have publicly available hacks (technically known as exploits). Web-related vulnerabilities accounted for just over 46% of the total for the first half of the year.

Brian Martin, vice-president of vulnerability intelligence for Risk Based Security, said:

The task of protecting digital assets has never been so critical to businesses as we continue to see a rise in compromised organizations and data breaches. Your vulnerability intelligence solution is a cornerstone of your defense strategy.

The RBS report indicates that 16.6% of the reported vulnerabilities received high or critical scores on a scale known as the common vulnerability scoring system (CVSS). The number of these types of flaws was down slightly year over year, however, the severity levels remain significant and require organizations to remain vigilant.

In the first quarter of 2018, the month of February posted both the most new vulnerabilities with the number of low-severity CVSS scores in the first half of the year and the highest number of critical vulnerabilities. RBS attributes the spike to more than 280 critical vulnerabilities patched in Samsung mobile devices.

About two-thirds of the vulnerabilities exposed in the first half of this year were due to insufficient or improper input validation, including, among other things, problematic cross-site scripting and shell command injection.

RBS notes that flaws of this kind demonstrate the difficulties software vendors face in validating untrusted input from users. The moral of the story is that companies can’t be too careful.