We have included data and analysis on industrywide vulnerability disclosures in the Microsoft Security Intelligence Report (SIR) for many years. We compile and analyze this information using vulnerability disclosure data that is published in the National Vulnerability Database (NVD) – the US government’s repository of standards-based vulnerability management data at nvd.nist.gov. The NVD represents all vulnerability disclosures that have a published Common Vulnerabilities and Exposures identifier (CVE).
The vulnerability disclosure data published in the just released volume of the SIR, volume 18, suggests that there was a 56.3% increase in vulnerability disclosures between the third and fourth quarters of 2014. After many periods of relatively small changes in disclosure totals, the 4,512 vulnerabilities disclosed during the second half of 2014 is the largest number of vulnerabilities disclosed in any half-year period since the CVE system was launched in 1999.
This large increase in disclosures is predominantly the result of work performed by the Computer Emergency Response Team (CERT) Coordination Center (CERT/CC) in the second half of 2014 to scan Android applications in the Google Play Store for man-in-the-middle vulnerabilities using an automated tool called CERT Tapioca. CERT/CC determined that thousands of Android apps fail to properly validate SSL certificates provided by HTTPS connections, which could allow an attacker on the same network as an Android device to perform a man-in-the-middle attack on the device.
This project resulted in the creation of almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries. Without the Android application vulnerabilities discovered by CERT/CC, vulnerability disclosures across the entire industry would have increased about 8% in the second half of 2014 – which would be more consistent with the increases observed over the past several half-year periods.
All of the Android SSL vulnerabilities discovered by CERT/CC are medium-severity (CVSS scores from 4 to 7.9) and medium-complexity vulnerabilities that affect non-operating-system applications. This increased the number of medium-severity and medium-complexity vulnerability disclosures sharply compared to past periods. For example, medium-severity vulnerability disclosures increased from 59.6% of all vulnerabilities in the first half of 2014 to 72.5% in the second half of the year.
Medium-severity vulnerabilities accounted for almost the entire increase in disclosures seen in the last six months of 2014.
Some vulnerabilities are easier to exploit than others. Vulnerability complexity is an important factor to consider in determining the risk that each vulnerability poses. The CVSS assigns each vulnerability a complexity ranking of Low, Medium, or High. Medium-complexity vulnerabilities accounted for the largest category of disclosures in the second half of 2014 as well as the bulk of the significant increase in total disclosures observed during the period. Medium-complexity vulnerability disclosures doubled in the period between the first and second halves of 2014, increasing from 48.0% of all disclosures in the first half of the year to 61.5% in the second half of the year. Of note, disclosures of Low-complexity vulnerabilities (those that are the easiest to exploit) also increased significantly in the last six months of 2014. Low-complexity vulnerability disclosures increased 20.3% between the first and second halves of 2014, although their share of all vulnerabilities declined from 48.0% to 36.9% because of the sharp increase in Medium-complexity vulnerability disclosures in the same period.
Many of the CISOs and security professionals I talk to are typically primarily concerned about vulnerabilities in operating systems and web browsers. But Figure 5 illustrates that there are typically more vulnerability disclosures in applications than in operating systems and browsers combined, and the almost 1,400 individual CVEs affecting thousands of different publishers of Android apps and code libraries accentuate this trend. Disclosures of vulnerabilities in applications other than web browsers and operating system applications increased 98.3% in the second half of 2014 and accounted for 76.5% of total disclosures for the period.
You can get more details on vulnerability disclosure trends in the latest Microsoft Security Intelligence Report, available at http://microsoft.com/sir.
Chief Security Advisor
Worldwide Cybersecurity & Data Protection
 Will Dormann, “Finding Android SSL Vulnerabilities with CERT Tapioca,” Cert/CC Blog, September 3, 2014, http://www.cert.org/blogs/certcc/post.cfm?EntryID=204.
 CERT Coordination Center, “Vulnerability Note VU#582497: Multiple Android applications fail to properly validate SSL certificates,” Vulnerability Notes Database, http://www.kb.cert.org/vuls/id/582497.