The number of vulnerabilities revealed by large technology companies seems to be returning to normal after a lower than usual rate observed in the first quarter of 2020, in the context of the pandemic COVID-19. VulnDB Security Risk analysts have voiced opposition to companies tending to report all of their latest vulnerabilities on the same day, citing the trend. “Fujiwhara phenomenon”. Of the 11.121 vulnerabilities published in mid-2020, 818 were revealed within a few days. In addition, 312 vulnerabilities were posted on January 14, 508 on April 14 and 263 on June 9, while there were four more days this year, during which at least 187 vulnerabilities were posted.
Revealing a large number of vulnerabilities in a short period of time naturally puts a lot of pressure on both IT staff and vulnerability managers. Brian Martin, Risk Based Security VP, said that during the Fujiwhara event in April, 508 new vulnerabilities were revealed, of which 79% came from seven vendors. Martin stressed that this is something that is expected to happen more often in the future, while raising the question of who benefits from this all-at-once disclosure of vulnerabilities that companies are making. Certainly the customers who pay certainly do not benefit.
In the first half of 2020, 11.000 vulnerabilities were revealed. Although this number may seem high, in fact vulnerabilities decreased by 8,2%, compared to the corresponding period of 2019. However, the second quarter of the year showed that things are gradually returning to normal, after outbreak of the COVID-19 pandemic.
Researchers point out that one of the most worrying trends is the lack of IDs CVE. Of the vulnerabilities revealed in the first half of 2020, 30% did not have a CVE ID, while for the 3% of vulnerabilities identified no information is available.
One report focuses mainly on the "Fujiwhara phenomenon" as well as the companies that reveal the highest number of vulnerabilities. According to the report, there were three days in 2020 (January 14, April 14 and July 14) that were an important event for IT professionals. These Fujiwhara events are usually rare, but in 2020 there were three: January 14, April 14 and July 14. The last two observed before 2020 occurred in 2015, while the next two will appear in 2025 - starting on January 14th. This shows the rarity of these events, but also the reason why they stand out, as they involve more stress and greater risks for organizations.
In addition, the report noted that the 2015 Fujiwhara single event saw a total of 277 known vulnerabilities from all reports that day, less than half of those revealed during the Fujiwhara event in April this year. During the Fujiwhara event in April, 506 new vulnerabilities were revealed, 79% of which came from seven vendors. Compared to other Patch Tuesdays this year, the highest reported "only" 273 new vulnerabilities on June 9th. The researchers also noted the sellers' absurdity of creating vulnerabilities software which puts paying customers at risk.
IT teams and vulnerability managers are trying to examine and evaluate the huge volume of vulnerabilities that are revealed in one day. Hundreds of vulnerabilities are revealed in a short period of time, with most coming from technology giants such as Microsoft and Adobe, thus affecting widely used products.
Worst of all, the CVE mission has remained stagnant, which means that CVE / NVD-dependent organizations for vulnerability information are not receiving the help they need to identify and prioritize the identified vulnerabilities. " critical ”. 2020 has shown, among other things, that organizations need a comprehensive strategy to address vulnerabilities.
Microsoft was one of the first companies to host "Patch Tuesday" events, but Adobe eventually started participating in them in 2012, while other companies such as SAP, Siemens and Schneider Electric also decided to participate. THE Apple, Mozilla, Intel, the Cisco and other tech giants have also begun revealing vulnerabilities the same day, in a bid to make the process easier and less embarrassing.
The seriousness of the problem is evidenced by the fact that within two days 818 vulnerabilities were revealed by companies, a number that represents 7,3% of the total vulnerability revelations in the middle of the year. If Fujiwhara Day is included in July, three days would account for 10,5% of all 2020 vulnerabilities. In addition, instead of helping IT professionals, it has the exact opposite effect, while at the same time giving malware a plethora recently released vulnerabilities, to be exploited all on the same day. The report added that software vendors may be seeing Fujiwhara these days as a way to hide their vulnerabilities amid the chaos of hundreds of other vulnerabilities.
In the second quarter of 2020, Microsoft saw a 150% increase in vulnerabilities, compared to the same period last year, with 762 revelations. The number is much higher than any other supplier, including Oracle and Linux / Red Hat. Oracle had a total of 612 vulnerabilities, 420 of which came from the two Fujiwhara events. Microsoft's high numbers are due to Windows 10. But it's not just Windows 10. Different versions of Windows appear in the list four times. Organizations that rely heavily on Microsoft or Oracle products will have to repeatedly test and evaluate a large number of issues.
Given the sheer volume of vulnerabilities uncovered, CVE / NVD-based organizations will strive to find a quick and effective solution to address them. Finally, organizations increase their own risk, relying on the CVE to provide complete and timely data. The current level of vulnerability detection that organizations face on a daily basis is more than what the CVE can handle.