After the close of 2012, NSS Labs performed a comprehensive analysis of vulnerability data to identify industry wide threats and trends covering the last 10 years. The data supporting this analysis is drawn heavily from NSS Labs’ own research combined with the National Vulnerability Database (NVD), an independent and publicly available repository of standards-based vulnerability management data operated by the U.S. government. As of early January 2013, the NVD listed 53,489 vulnerabilities affecting 20,821 software products from 12,062 different software vendors.
Several observations make 2012 stand out significantly compared to the previous years since 2006. In the last ten years, on average, 4,660 vulnerabilities were disclosed per year, with an all-time high of 6,462 vulnerabilities counted in 2006 followed by a yearly decrease over the following five years down to 4,139 (64% of the all-time high) in 2011.
However, in 2012 alone, the number of vulnerabilities increased again to a considerable 5,225 (80% of the all-time high), which is 12% above the ten-year average or a 26% increase compared to the 2011 numbers. This is the largest increase observed in the past six years and ends the trend of moderate declines since 2006.
The NVD represents all vulnerability disclosures that have a CVE (common vulnerabilities and exposures) identifier. CVE is a de facto industry standard to uniquely identify and correlate vulnerabilities, e.g. CVE-2013-0422 identifies the recent Java 0-day vulnerability. The first four digits represent the year; the last four digits are a sequential tracking number from 0001 to 9999. Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project announced on January 22, 2013, that they would change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. This correlates nicely with our findings and indicates that still more vulnerabilities are expected on the long term.
A considerable 9 percent of the vulnerabilities disclosed in 2012 are extremely critical (with CVSS score > 9.9) paired with low attack/exploitation complexity. Analyzing the software vendors whose products are affected by the largest number of vulnerabilities reveals that only one of the top 10 vendors managed to reduce vulnerability disclosures in 2012 compared to the average disclosures of the ten preceding years. On average, around one percent of vendors account for 31 percent of the vulnerabilities disclosed per year. This small number of vendors represents the most prevalent software products in everyday private and business use – which is also visualized in the video below:
his visualization shows the evolution of vulnerability disclosures per vendor for 2012 and highlights the skewed distribution of vulnerabilities amongst vendors. For every day in 2012, the animation attributes vulnerabilities disclosed to the vendor affected, and visualizes them as linked entities. We readily observe a few large clusters at the perimeter of the growing bubble, representing vendors affected by numerous vulnerabilities. The center is populated with the many small vendors affected by only one or very few vulnerabilities. The dynamic legend on the left ranks the vendors by their vulnerability count as of the specific day in the year 2012.
Despite massive security investments of the software industry, vulnerability disclosures have risen considerably in 2012. Thus identifying, classifying, and prioritization of mitigation of the most critical vulnerabilities remains an important and key task for effective risk management.
Below is a link to the full report, documenting further trends such as decreasing vulnerability disclosures by two long established purchase programs, iDefense VCP and TippingPoint ZDI, as well as the considerable increase in SCADA vulnerability disclosures observed in the last two years.