The number of vulnerabilities being disclosed by major technology companies is returning to normal levels after a lower-than-usual first quarter, due in no small part to the disruption from the coronavirus pandemic.
But in the 2020 Mid Year Vulnerability QuickView Report, analysts on Risk Based Security’s VulnDB team criticized the now popular trend of companies publicly releasing all of their latest vulnerabilities on the same day, calling these days “Vulnerability Fujiwhara.”
Of the 11,121 vulnerabilities publicized during the midyear, 818 were dumped all in just a few days. There were 312 vulnerabilities published on Jan. 14, 508 on April 14 and 263 on June 9. There were four more days this year when at least 187 vulnerabilities were released.
SEE: TechRepublic Premium editorial calendar: IT policies, checklists, toolkits, and research for download (TechRepublic Premium)
“We knew that these events would undoubtedly become a significant strain for IT staff and Vulnerability Managers. Compared to other Patch Tuesdays this year, the highest reported ‘only’ 273 new vulnerabilities,” said Brian Martin, vice president of vulnerability intelligence at Risk Based Security.
“However, during April’s Fujiwhara event we saw 508 new vulnerabilities reported, 79% of which came from seven vendors. Unfortunately for all of us, this is likely what we can expect to occur more frequently in the future. The sheer volume makes one wonder who actually benefits from this all-at-once disclosure of vulnerabilities. Certainly not the paying customers.”
Despite the more than 11,000 vulnerabilities disclosed in the first half of the year, the number represented an 8.2% decrease compared to the same period in 2019. But the second quarter of the year showed things are slowly returning to normal after a tumultuous few months because of COVID-19.
Researchers with Risk Based Security wrote in the report that one of the most alarming trends is the lack of CVE IDs. Of the vulnerabilities disclosed during the first half of 2020, 30% did not have a CVE ID and another 3% are in reserved status even with their CVE ID, meaning there isn’t any information available about it.
But most of the report focuses on the Vulnerability Fujiwhara Effect and the companies disclosing the highest number of vulnerabilities. There were three days in 2020, Jan. 14, April 14, and July 14, that the report said have become “a significant event in the lives of IT staff.”
“These Fujiwhara events are typically rare, but 2020 saw three of them: January 14, April 14, and July 14. The last two observed pre-2020 Fujiwhara events occurred in 2015 and the next two will be seen in 2025—beginning on January 14! That illustrates just how infrequent these events are and why they stand out as a point of stress and additional risk for organizations,” the report said.
“It is also important to note that 2015’s single Fujiwhara event saw a total of 277 disclosed vulnerabilities from all reports that day, less than half of what we saw from the April Fujiwhara this year. During April’s Fujiwhara event we saw 506 new vulnerabilities reported, 79% of which came from seven vendors. Compared to other Patch Tuesdays this year, the highest reported “only” 273 new vulnerabilities on June 9th.”
The report predicts that these Fujiwhara incidents and the increased number of vulnerabilities will become the norm, but the researchers questioned whether the days were doing a disservice to IT teams that may not be able to handle the sheer number of vulnerabilities.
SEE: Social engineering: A cheat sheet for business professionals (free PDF) (TechRepublic)
The researchers also noted the absurdity of vendors creating the vulnerable software that put its paying customers at risk while dumping all disclosures on the same days, creating the circumstance that adds additional risk.
“IT Security teams and Vulnerability Managers dealing with reduced staffing and budgets will surely struggle to triage and assess the sheer volume of issues disclosed in a single day. Hundreds of vulnerabilities are being disclosed within a short time period, with the bulk of them being from major vendors such as Microsoft and Adobe, affecting widely-used products,” the report said.
“To make matters worse, the CVE mission has remained stagnant, which means that organizations depending on CVE/NVD for vulnerability intelligence, will not receive the much-needed help in identifying and prioritizing vulnerabilities that are rated critical. If this year has taught us anything, it’s that we need comprehensive vulnerability intelligence and we need it now if we are to survive the on-coming and growing storm.”
Microsoft was one of the first companies to hold “Patch Tuesday” events but Adobe eventually began to join them in 2012 and other companies like SAP, Siemens, and Schneider Electric have decided to join in as well. Apple, Mozilla, Intel, Cisco and others have also started to disclose vulnerabilities on the same day in an effort to “make it more convenient.”
The problem is so bad that this year, just two days saw 818 vulnerabilities disclosed, representing 7.3% of the entire midyear’s disclosures. If the Fujiwhara day in July is included, three days would account for 10.5% of all 2020 vulnerabilities—13% if you factor in the following day for each.
While these days were originally created to ease the strain on IT teams, they have had the opposite effect, giving bad actors a treasure trove of newly released vulnerabilities to exploit all on the same day, according to the report. The study adds that at this point, software vendors may see these Fujiwhara days as a way to hide their vulnerabilities within the chaos of hundreds of other vulnerabilities.
In the second quarter of 2020, Microsoft specifically saw a 150% increase in vulnerabilities disclosed compared to the same period last year with 762 disclosures. The number is far and away higher than every other vendor, including Oracle and Linux/Red Hat. Oracle had 612 total vulnerabilities, 420 of which came from the two Fujiwhara events.
Microsoft’s high numbers are due to Windows 10, which leads all products having the most disclosed vulnerabilities in Q2 this year, according to the report. But it’s not just Windows 10. Different versions of Windows show up on the list four times.
Organizations that heavily rely on Microsoft or Oracle products, the researchers wrote, will be forced to deal with dozens of days each year where they have to triage and assess a large number of issues.
“OpenSUSE Leap, with 464 vulnerabilities, and Suse Linux Enterprise Server (SLES), with 247, since they are both from the same vendor, and both Linux-based operating systems. Leap describes itself to be ‘for Sysadmins, Enterprise Developers, and ‘Regular’ Desktop Users’ while SLES bills itself as an OS that ‘helps simplify your IT environment, modernize your IT infrastructure and accelerate innovation,'” the report said.
“This is arguably a blurry line since system administrators and enterprise developers might be expected to use either. Why is there such a disparity between the two? The most notable difference is that Leap installs with both Chrome and Firefox, while SLES only installs with Firefox. That alone represents over 100 vulnerabilities.”
The report also notes that Google Pixel/Nexus Devices appeared on the list with 314 vulnerabilities, leading the researchers to write that mobile devices may be more vulnerable to attack than your desktop system.
“Given the sheer amount of vulnerabilities disclosed, organizations relying on CVE/NVD will struggle to find timely and actionable intelligence. The bare minimum metadata found within NVD is not enough for organizations to properly prioritize and remediate,” Martin said.
“Organizations are increasing their own risk by relying on CVE to provide complete and timely data. The current level of vulnerability disclosures organizations face on a daily basis are more than CVE can handle, and it will only get worse.”