A new report from Skybox Security based in California states that since so far there have been 9.799 unique vulnerabilities in the first half of 2020 alone, by the end of the year we will have reached the record of 20.000 vulnerabilities.
The first half volume of software security vulnerability reports has increased by 34% compared to 7.318 last year. They are undoubtedly good news, reflecting the increased effort made in vulnerability research.
Of the five new products in the list above, three are business applications (IBM API Connect, Red Hat OpenShift, Oracle E - Business Suite). The other two - Edge Chromium and iPad OS - usually developed in workstations, home and commercial environments, emerging from the "non-existent" to become what Skybox describes as "weak points that patches seek" and require its attention Admin.
Critical vulnerabilities account for 15% of all new reports, according to Skybox.
And while critical errors - such as those with a maximum score of 10,0 in the CVSS (a way of evaluating features and the severity of software vulnerabilities) - they take great care, they end up being dangerous as they are generally approached, the security company notes.
"Although the organizations they tend to prioritize critical vulnerabilities; this general approach to hierarchy could allow attackers to take advantage of any moderate vulnerabilities exposed. "
"Criminals know that moderate-severity defects can remain unpached in an organization's systems for a long time. space and depending on where these exist defects, could give to intruder access to a critical point in the system or allow lateral movement. "
Security programs must have established procedures in place to 'address vulnerabilities based on exposure, exploitability and other factors to keep recovery focused on critical risks", Reports Skybox. He goes on to say: "If a security program bases its vulnerability priority solely on ratings CVSS, could be wasted resources repairing a vulnerable element which is protected by layers at defense levels and does not inform of any vulnerability of medium severity. ”