Your Vulnerabilities Are Not What You Think

For most of my 34-year career, it has been drilled into my head that Microsoft Windows vulnerabilities are the main ones you have to worry about, and to some extent, that is still true. But a growing amount of vulnerabilities can be attributed to VPNs, devices, routes, web cameras, computer security software and content management systems (CMSs). How much?

Read on.

Last year, there were over 20,100 publicly reported vulnerabilities (https://www.cvedetails.com/browse-by-date.php), and this year looks on track to beat that record. Last year, we averaged 55 reported vulnerabilities a day and this year, we are on target for an average of 69 vulnerabilities a day (not that reported vulnerabilities are found or reported linearly). Many commercial vendors claim that a more accurate, more inclusive, reported figure of publicly reported vulnerabilities is half ?(or more) higher than what the more popular Common Vulnerabilities and Exposures (CVE) list reports. Sometimes vendors do not report their vulnerabilities to the MITRE CVE database. Here is the official CVE list by year, according to CVE Details:

No matter whose data, we have a lot of things to worry about. We have a lot of things we need to patch.

But which ones do you need to worry about?

According to decades of historic data, less than 4%. Less than 4% of total publicly known exploits are ever known to be used by any real-world adversary against any real-world target. This figure is backed by the U.S. Cybersecurity & Infrastructure Security Agency (https://www.cisa.gov/known-exploited-vulnerabilities) and many commercial vendors.

I have often argued that the only exploits you need to worry about, or at least worry about the most and first, are exploits that are actually being used “in-the-wild”. If no real-world criminal uses a particular exploit against ANY real-world target, it is harder to say that it is a vulnerability that everyone needs to hurry up and mitigate. On the opposite end of the spectrum, if an exploit is being used in the wild to attack real-world targets, then it should be high on your list of things to patch.

But how do you tell what vulnerability is being exploited in-the-wild and which is not?

Luckily, CISA (https://www.cisa.gov) has our back on that as well. CISA maintains, and you should subscribe to, its authoritative Known Exploited Vulnerabilities (KEV) Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog). It only lists significant vulnerabilities that are being used by real-world adversaries against real-world targets. If something is on this list and you have it in your environment, you need to patch it ASAP (although CISA officially gives managed organizations two weeks to patch).

I previously wrote an article stating that all patch management implementations should prioritize vulnerabilities listed on CISA’s Known Exploited Vulnerabilities Catalog first (https://www.cisa.gov/known-exploited-vulnerabilities-catalog), and everything else after.

Note: CISA’s Known Exploited Vulnerabilities Catalog was only released last year, November 2021, and so it will only have vulnerabilities added to that list since its beginning in November 2021.

What Is on CISA’s Known Exploited Vulnerabilities Catalog?

I have subscribed to CISA’s Known Exploited Vulnerabilities Catalog since its creation, and what gets put on it is not just Microsoft Windows vulnerabilities. In fact, it is 70% not Microsoft Windows vulnerabilities. If you are going to appropriately defend your environment, it is important to have a good idea about what is on it.

Important Caveat: Not all CISA’s Known Exploited Vulnerabilities Catalog vulnerabilities are equal. Inclusion on CISA’s Known Exploited Vulnerabilities Catalog does not indicate the popularity and use of a particular vulnerability. One vulnerability might be used a lot by attackers and others far more sparingly.

Anyone can download CISA’s Known Exploited Vulnerabilities Catalog in JSON or CSV format. I did.

There are a total of 832 vulnerabilities spread among 137 different vendors on the list as of the date I downloaded it (9/15/22).

Not surprisingly, Microsoft does have the biggest share of vulnerabilities, 239 or 29% of the list. To be fair, Microsoft does have well over 700 products and likely billions of lines of code that can have bugs. According to CVE Details (https://www.cvedetails.com/vendor/26/Microsoft.html), Microsoft reported a total of 729 bugs (exploited or not) in 2022 so far. CISA’s KEV includes 156 Microsoft vulnerabilities included on KEV in 2022 (found in any year).

So, at first glance, it might look like 21% of Microsoft vulnerabilities (156/729) get used in-the-wild, far higher than the 4% figure reported by CISA. Of course, Microsoft Windows is not the only thing you need to worry about. Both Cisco and Adobe tie for second place on CISA’s KEV with 59 vulnerabilities, or 7% of the total. Apple, with 47 vulnerabilities, is in fourth place and Google, with 41 vulnerabilities, is in fifth place. Oracle, Apache, VMware and D-Link round out the top nine.

Note: Years ago, in 2009, in partial jest, I created the Grimes Corollary (https://www.csoonline.com/article/2629811/macs--low-popularity-keeps-them-safer-from-hacking-and-malware.html), which says that whatever becomes popular will be hacked the most. It has never been wrong.

Apple has a total of 141 products reported on CVE Details (https://www.cvedetails.com/vendor/49/Apple.html) with 174 reported vulnerabilities reported so far in 2022. So again, at first glance, it might look like 27% (47/174) of Apple’s reported vulnerabilities are used in-the-wild.

Does this mean that the most popular products, Microsoft Windows and Apple are exploited at higher than 4% rates?

No.

CISA KEV will include any vulnerability being exploited in-the-wild, regardless of the year it was disclosed. Most of the included vulnerabilities were disclosed and patched years ago. Many of the vendors on the CISA KEV list have not had a newly disclosed bug in years and most of the bugs exploited against the most popular products are from many years ago. It is just that either attackers are just getting around to using them or CISA is just detecting new in-the-wild attacks so that they get included on this year’s KEV list.

When looking at the underlying data on a per-year basis, it looks like even the popular vendors have a 4% or less exploitation rate within a given year. Here are the results for the top nine KEV vendors regarding total number of new 2022 announced CVE exploits versus those same exploits put on CISA’s KEV list in 2022 so far. [2]

So, other than VMware and D-Link, who have a much smaller population of 2022 vulnerabilities for comparison purposes, the most popular vendors do seem to agree with that 4% or less touted statistic.

Either way, you need to patch your software. But according to the latest data, only about 4% or less of this year’s exploits will be used in real-world attacks. Over time, exploits add up. And if you do not patch your products in a timely manner, you are just asking for trouble. However, if you have not patched your 2021 and prior vulnerabilities by now, I put the onus on you and not the vendor.

Of course, total number of exploits alone is not the full story. Some exploits are used a lot more than others. There are far more exploitable products (e.g., potential victims) out there for some exploits (e.g., Microsoft, Apple, etc.). And not all announced exploits are equal. Some are the most critical (e.g., execution of code and access control bypass, etc.) and others slightly less concerning (e.g., memory corruption, information leak, etc.).

There is a fair amount of open-source software included from operating systems (e.g., Linux) to very commonly used programs (e.g., Sudo, BASH, OpenSSH, OpenSSL, etc.). There were development platforms like Ruby on Rails. There were common components and scripts used across a wide variety of projects and products. I think we can safely say the “many eyes” theory of open-source software being safer than commercial software has been killed, unless someone can explain how huge exploitable bugs were in open-source software for over a decade without a single eyeball finding it a long time ago.

On the software patch list, there are many non-OS software products, such as VPNs, content management systems (CMS), device management platforms, computer security software, network monitoring tools and the like. It is clear you need to be worried about any software exploit that ends up on the CISA KEV list and not just OS vulnerabilities. And many times, the stuff we are buying to help protect our networks (e.g., VPNs, security monitoring software, AV, firewalls, network monitors, etc.) is being used against us.

What About Hardware Exploits?

The days of just worrying about software-only exploits (e.g., Windows, Apple, Google, Adobe, etc.) are long gone. Today, attackers frequently exploit the appliances and hardware that we have all across our networks. Software-only exploits still rule, but in my quick estimation, about 180 or more of the KEV vulnerabilities appear to be hardware related: appliances, software running on appliances, gateways, routers, security cameras, etc.

Even though hardware and appliance vulnerabilities are only about 21% (180/832) of the KEV list, they seem to be an increasingly popular target for attackers. Even more concerning, many defenders just do not give hardware/appliance/firmware the same level of patch management attention, and those items should be seen as harder-to-patch software. It is not unusual for defenders to have a fairly good handle on their software vulnerabilities but at the same time have unpatched hardware/appliance/firmware vulnerabilities for years.

Every defender should make sure they focus on patching non-software exploits with the same attention as they do software exploits.

Cloud Products

The world is moving to cloud products, so it was not surprising to see a lot of cloud products on the list (although a far smaller percentage than on-premise products). In general, I am still a growing fan of cloud products because once an exploit is found, the cloud vendor can fix it ASAP, without asking permission, and with far less operational interruption than what happens with on-premise products. Many of the biggest exploits of the last few years were with on-premise products (e.g., Microsoft Exchange, etc.) that did not impact their cloud-related cousin (e.g., Microsoft O365, etc.). If you add to the plus side that cloud products usually have backup and recovery, cloud products are looking more win-win all the time.

Social Engineering

Also remember that social engineering is involved in 70% to 90% of all successful exploits, whether unpatched software is involved or not, and therefore, mitigating social engineering should be your number one focus. Unpatched software is involved in about 20% to 40% of all successful exploits, and so it, and using CISA’s KEV list, should be second highest priority on your list. The third most common root cause for malicious exploits is password exploits (e.g., stolen, guessing, cracking) of some sort. These three root causes account for the vast majority of successful exploits. You should fight these three root causes above all others.

Summary

In conclusion, less than 4% of known vulnerabilities are used against any real-world target within the same year. Overtime vulnerabilities accumulate and if you are a slower patcher, the odds of vulnerability exploits increase. Use CISA’s Known Exploited Vulnerabilities Catalog list to guide you in what you absolutely need to patch first and best. If it is on the KEV list and you have it in your environment, patch it quickly. Lastly, make sure you inventory, and look for non-software exploits as strongly as you do software-only exploits. Attackers are increasingly looking across the enterprise for avenues into your devices and networks. Patch! Patch! Patch! But mostly, patch the items on the CISA KEV list.

Continue to keep up the good fight!