NCC Group has found that only 26% of vulnerabilities discovered and reported over the last nine years by its research team are likely to have been fixed.
Of the 289 cases which were classed as ‘closed’ (i.e. either fixed, or dismissed by the vendor as an acceptable risk), they took on average at least twice as long as the industry-accepted 30 days to reach a resolution. Low risk vulnerabilities took an average of 96 days, medium risk vulnerabilities took 77, and critical vulnerabilities took 74.
The research team points out that this is not necessarily due to the problem being difficult to resolve – in many cases the team had trouble finding the correct person at the company to whom they could securely disclose the vulnerability, often resorting to contacting social media teams, who frequently did not respond.
What’s more, the team found that only 2.4% of vulnerabilities reported resulted in a CVE – meaning that since many vulnerabilities were not resolved, users who might be impacted by them might never find out about the risk. Or at least, not until after it was exploited.
Matt Lewis, Research Director at NCC Group, said that this was likely due to a false sense of security concerning low-risk vulnerabilities. He said that the company was seeing an increase in ‘bug chaining attacks’, which exploit multiple ‘low risk’ vulnerabilities at once to gain access to systems, networks and devices.
On a similar note, Microsoft recently explained how it decides which security bugs need fixing immediately, and which can be left until a later version of the product is released. Given the potential for vulnerabilities classified as low risk to be exploited, the announcement drew some backlash – “It’s no wonder why some of us don’t trust Windows security as far as we can throw one of Chariman Nadella’s luxury cars” being one example – but the transparency (and the fact that the bugs are fixed at all) is a better response than many received by the NCC Group research team.
“Our analysis highlights a clear knowledge gap when it comes to the resolution of vulnerabilities. Improving our industry’s ability to detect vulnerabilities before they become an issue is less of an achievement without an established process in place for their remediation and disclosure,” said Lewis.
“The fact that the majority of vulnerabilities uncovered by our researchers over the last nine years have not been fixed demonstrates that there are likely far more zero-day vulnerabilities in existence than we might think.”