Vulnerabilities

Vulnerabilities, A Decade of Maturation

Vulnerabilities are weaknesses in software that enable an attacker to compromise the integrity, availability, or confidentiality of that software or the data it processes. Some of the worst vulnerabilities allow attackers to exploit a compromised computer, causing it to run arbitrary code without the user’s knowledge.

The past 10 years represent a very interesting timeframe for reviewing vulnerability disclosures and ensuing changes that continue to affect risk management in IT organizations around the world. Before examining the charts and trends, a brief review of the past decade with regard to industry vulnerabilities is in order.

A decade of maturation

In 2002 MITRE presented A Progress Report on the CVE Initiative (PDF), which provided an update on a multi-year effort to create a consistent and common set of vulnerability information—with a particular focus on unique naming—to enable the industry to easier assess, manage, and fix vulnerabilities and exposures. The CVE effort and data later formed the core of the National Institute of Standards (NIST) National Vulnerability Database (NVD), the U.S. government repository of standards-based vulnerability management data that serves as the primary vulnerability index for industry vulnerabilities referenced in the SIR.

2002 also marked the beginning of a commercial market for vulnerabilities; iDefense started a vulnerability contributor program that paid finders for vulnerability information.

In 2003, the U.S. National Infrastructure Advisory Council (NIAC) commissioned a project “to propose an open and universal vulnerability scoring system to address and solve these shortcomings, with the ultimate goal of promoting a common understanding of vulnerabilities and their impact.” This project resulted in a report recommending the adoption of the Common Vulnerability and Scoring System (PDF) (CVSSv1) in late 2004. Vulnerability severity (or scoring) information was a big step forward, because it provided a standard method for rating vulnerabilities across the industry in a vendor-neutral manner.

2007 brought an update to CVSS, with changes that addressed issues identified by the practical application of CVSS since its inception. SIR volume 4, which provided data and analysis for the second half of 2007, included vulnerability trends using both CVSSv1 and CVSSv2, and since then CVSSv2 ratings have been used. As noted at the time, one practical effect of the new ratings formulas was that a much higher percentage of vulnerabilities were rated High or Medium severity.

Industry-wide vulnerability disclosures

A disclosure, as the term is used in the SIR, is the revelation of a software vulnerability to the public at large. It does not refer to any type of private disclosure or disclosure to a limited number of people. Disclosures can come from a variety of sources, including the software vendor, security software vendors, independent security researchers, and even malware creators.

Much of the information in this section is compiled from vulnerability disclosure data that is published in the NVD. It represents all disclosures that have a CVE (Common Vulnerabilities and Exposures) number.

The past decade has seen drastic growth in new vulnerability disclosures, which peaked in 2006 and 2007 and then steadily declined over the next four years to just over 4,000 in 2011, which is still a large number of vulnerabilities.

Industry-wide vulnerability disclosures since 2002

Industry-wide vulnerability disclosures since 2002

Click on the image to enlarge.

Vulnerability disclosure trends:

  • Vulnerability disclosures across the industry in 2011 were down 11.8 percent from 2010.
  • This decline continues an overall trend of moderate declines. Vulnerability disclosures have declined a total of 37 percent since their peak in 2006.

Top of page Top of Page

Vulnerability severity

The Common Vulnerability Scoring System (CVSS) is a standardized, platform-independent scoring system for rating IT vulnerabilities. The CVSS assigns a numeric value between 0 and 10 to vulnerabilities according to severity, with higher scores representing greater severity. (See the Vulnerability Severity page for more information.)

Relative severity of vulnerabilities disclosed since 2002

Relative severity of vulnerabilities disclosed since 2002

Click on the image to enlarge.

Vulnerability severity trends:

  • The overall vulnerability severity trend has been a positive one. Medium and High severity vulnerabilities have steadily decreased since their high points in 2006 and 2007.
  • Even as fewer vulnerabilities are being disclosed overall, the number of Low severity vulnerabilities being disclosed has been relatively flat. Low severity vulnerabilities accounted for approximately 8 percent of all vulnerabilities disclosed in 2011.

Top of page Top of Page

Hardware and software disclosures

The NVD tracks both hardware and software vulnerabilities. The number of hardware vulnerabilities disclosed each year remains low, as shown in the following figure. The peak number was 198 (3.4 percent) hardware vulnerabilities disclosed in 2009.

Hardware and software vulnerability disclosures since 2002

Hardware and software vulnerability disclosures since 2002

Click on the image to enlarge.

Software vulnerabilities consist of vulnerabilities that affect operating systems, applications, or both. As in many other industries, one vendor’s product can be another vendor’s component. For example, CVE-2011-1089 affects GNU libc 2.3, which is listed as an application product from GNU. However, libc is also an integrated component in several operating systems and is therefore also an operating system vulnerability. For this reason, it is difficult to draw a distinct line between operating system and application vulnerabilities. In the following figure, vulnerabilities that affect both operating systems and applications are shown in red.

Application and operating system vulnerability disclosures since 2002

Application and operating system vulnerability disclosures since 2002

Click on the image to enlarge.

In 2010 and 2011, approximately 13 percent of software vulnerabilities affected both application and operating system products.

Top of page Top of Page

Operating system vulnerability disclosures

To determine the number of vulnerabilities that affect operating systems (shown in the following figure), vulnerabilities were filtered for affected products that were designated as operating systems in the NVD.

Operating system vulnerability disclosures since 2002

Operating system vulnerability disclosures since 2002

Click on the image to enlarge.

Top of page Top of Page

Application vulnerability disclosures

To determine the number of vulnerabilities that affect applications (shown in the following figure), vulnerabilities were filtered for affected products that were designated as applications in the NVD.

Application vulnerability disclosures since 2002

Application vulnerability disclosures since 2002

Click on the image to enlarge.

Top of page Top of Page

Featured Articles

Locations

United States Change All Microsoft Sites

Search

Feedback:

Was the information in this article helpful?