Vulnerabilities on the decline, but risk assessment is often flawed, study says says

Based on data gathered over the first six months of 2014, security researchers from IBM X-Force predict that the number of publicly reported vulnerabilities will drop to under 8,000 this year, a first since 2011.

While the majority of flaws disclosed so far fall into the medium-risk category, the IBM researchers said that the widely used system to rate their severity often fails to reflect the real risk they pose to users.

Over the first half of the year, the IBM X-Force team collected reports about 3,900 security vulnerabilities from advisories published by software vendors, security industry mailing lists and other sources. If vulnerability disclosures continue at the same rate, the number of flaws reported in 2014 will fall under 8,000, several hundred less than in each of the previous two years, the team said in a report released this week.

"It is difficult to point to any one factor that has contributed to the decline in the number of vulnerability disclosures in 2014," the X-Force researchers said. "However, it is interesting to note that the total number of vendors disclosing vulnerabilities has decreased year over year (1,602 vendors in 2013, compared to 926 vendors in 2014)."

Security experts have argued in the past that overall number of vulnerabilities is not as relevant for as their impact. However, despite attempts to standardize methods of assessing the severity of vulnerabilities, like the Common Vulnerability Scoring System (CVSS), there are many cases where the true risk posed by certain flaws is not represented accurately.

"Many in the industry, including security analysts, corporate incident response teams and enterprise software consumers, have become dissatisfied with scoring inconsistencies that often occur across different organizations," the X-Force researchers said. "Sometimes the inconsistencies are the result of the subjectivity that can go into how an individual or organization scores vulnerabilities, but they can also result from some of the inherent flaws in the current CVSS standard and a lack of clear guidelines on how to objectively assess certain types of vulnerabilities."

One prime example is the Heartbleed flaw disclosed in the OpenSSL library in early April that can be exploited by attackers to extract sensitive information from the memory of Web servers. The vulnerability received a CVSS base score of 5.0 out of 10, which puts it into the medium-risk category.

"With the number of products impacted, the time and attention IT teams spent patching systems and responding to customer inquiries, as well as the potential sensitivity of data exposed, the true impact of the Heartbleed vulnerability was greater than the CVSS base score would indicate," the X-Force researchers said. "This also brings to question what other vulnerabilities fell into the medium-risk category (CVSS base score 4.0 to 6.9) that may have been disregarded by organizations, but that also had potential large-scale impacts similar to Heartbleed."

Sixty-seven percent of vulnerabilities disclosed during the first half of 2014 fell into the medium-risk level based on their assigned CVSS scores, according to the IBM report. This is similar to numbers seen in the previous two years.

In 2013, Carsten Eiram, the chief research officer at Risk Based Security, and Brian Martin from the Open Security Foundation, two researchers experienced in maintaining vulnerability databases wrote an open letter detailing CVSS shortcomings to the Forum for Incident Response and Security Teams (FIRST), the organization that maintains the standard.

"While CVSSv2 saw improvements over CVSSv1, the scheme is still not adequately supporting real life usage, as it suffers from being too theoretical in certain aspects," Eiram and Martin wrote in their letter. "Specific vulnerability types and vectors are not properly supported while others are not properly described, leading to subjective and inconsistent scoring, which CVSS was designed to prevent."