2016 Review of Vulnerabilities

Credit to Author: Jon Clay| Date: Thu, 23 Mar 2017 13:00:45 +0000

In our 2016 security roundup report, A Record Year for Enterprise Threats, we talked about the vulnerability landscape during the year and what trends we saw.

Let’s look at some of the key aspects of what we saw in 2016.

1. Trend Micro’s Zero Day Initiative (ZDI) with support of their 3,000+ independent vulnerability researchers, discovered and responsibly disclosed 678 vulnerabilities in 2016. There were some interesting trends, as can be seen in the figures below:

 

 

  • First is that Microsoft has continued to minimize the number of vulnerabilities within their products over time. That’s good news, but the not so good news for Microsoft was the 2,100 percent increase in Edge vulnerabilities. This was further supported at Pwn2Own 2017, as Edge was the most exploited browser in the contest.
  • Second was a drop in overall Adobe vulnerabilities, but Acrobat Reader was the second in having the most vulnerabilities disclosed for 2016.
  • 0-Days, which are vulnerabilities that had active attacks associated with them prior to a patch being released, were down in 2016 from 2015. That is good news but we also saw recently with the hack of the CIA that there are likely many 0Days out there that have not been disclosed.
  • Android saw a large increase (206 percent) in the number of vulnerabilities disclosed for them. Trend Micro researchers submitted 54 vulnerabilities to Google for Android in 2016.
  • A 421 percent increase in SCADA vulnerabilities were disclosed in 2016 which isn’t boding well for these manufacturers due to the challenges with managing updates to these devices.

2. Within the exploit kit market we saw a number of changes take place. The Angler exploit kit ceased operations after a number of actors were arrested in Russia. Neutrino tried to take its place but that appeared to be fleeting as can be seen in the chart below.

 

3. We also saw a decrease in the number of new vulnerabilities being added to exploit kits in 2016, which does not necessarily mean exploit kits are less effective. We regularly see older vulnerabilities used within exploit kits because these still appear to be working to compromise systems. What we did see occur in 2016 was a higher use of ransomware being used within exploit kits as the primary infection option.

While we saw both increases and decreases in the number of vulnerabilities from respective vendors, what is true is that threat actors will continue to utilize exploits to infect their victims.  People and organizations should not assume that because we saw some decreases that they can take longer times to patch their systems.  Patch management is as critical today as ever before and the use of virtual patching can be used to allow more time to manage the patch from the vendor.

In the cases where ZDI managed the disclosure process, they were able to protect TippingPoint NGIPS customers on average 57 days prior to the vendor’s release of their patch.

Trend Micro also offers virtual patching within our Deep Security, Deep Discovery, and Vulnerability Protection solutions.

 

http://feeds.trendmicro.com/TrendMicroSimplySecurity