Press release

RiskSense Research Report Finds Attackers Weaponized More Security Vulnerabilities Last Year than Ever Before

0
Sponsored by Businesswire

RiskSense®, Inc.,
pioneering risk-based vulnerability management and prioritization, today
announced the results of the RiskSense Vulnerability Weaponization
Spotlight Report which analyzed more than 20 years of security flaws
across the Adobe family of products. It found that 2018 had the most
weaponized vulnerabilities ever (177), which represents a 139% increase
compared to 2017. In addition, the rate of exploits discovered in the
wild before a patch was available was nearly three times higher last
year than the previous record set in 2010.

“The fact that attackers are weaponizing more vulnerabilities than ever
before, and releasing exploits before patches are available, illustrates
the need for a more holistic approach to vulnerability management and
prioritization that is based on threat exploitability and weaponization
metrics,” said Srinivas Mukkamala, CEO of RiskSense. “For example,
global exploit kits including Neutrino and Angler were taking advantage
of vulnerabilities in the wild for more than a year before they were
disclosed.”

Methodology
The report provides an in-depth analysis of
vulnerabilities and weaponization patterns across the Adobe family of
products from August 1996 through November 2018, and spans 2,891 Common
Vulnerabilities and Exposures (CVE) entries. While the primary data
source was Adobe security bulletins and advisories, the study also
included CVEs published by third parties such as scanner knowledge
bases, bug bounty programs, vendors (SUSE, Red Hat, Microsoft, etc.),
and NVD (National Vulnerability Database) entries that were not included
in Adobe security bulletins and advisories.

Report Highlights
Following are some of the key insights
from the RiskSense Vulnerability Weaponization Spotlight Report:

  1. 2018 was most weaponized year on record
    Despite a 31%
    decrease in vulnerabilities compared to the high reached in 2016, last
    year had the most weaponized vulnerabilities ever (177), which
    represents a 139% increase compared to 2017 (74). Meanwhile, the
    percentage of vulnerabilities weaponized in 2018 (47.3%) was double
    compared to 2017 (20.6%) and 2016 (23.2%).
  2. Most exploits are available before a patch is
    2018 also
    had the highest number of exploits in the wild before a patch was
    available (50), compared to the previous record set in 2010 (18). This
    represents a nearly 200% increase.
  3. Cloud products produced largest increase in vulnerabilities
    2015,
    the year Adobe introduced cloud-based delivery of its products,
    generated the largest year over year increase in vulnerabilities. Both
    in terms of total vulnerabilities and high-severity vulnerabilities.
    The number of vulnerabilities in 2015 increased by 357 compared to
    2014. Within that figure, 314 were high severity making 2015 the year
    with largest number of high-severity vulnerabilities.
  4. Buffer Overflow was most common vulnerability
    Among the
    2,891 vulnerabilities investigated, Buffer Overflow was the most
    common type across all years (1,094 CVEs), distantly followed by
    Out-of-bounds Read (195 CVEs) and Use After Free (160 CVEs) types.
  5. Acrobat Reader most vulnerable product
    Over the research
    period, the Acrobat Reader family of products contained the most
    vulnerabilities (1,338). In 2015, the year the Acrobat DC product was
    introduced, 137 vulnerabilities were reported. Given the large number
    of organizations that depend on the Acrobat family of products for
    business workflows, this represents a major security concern.

A full copy of the report is available here: https://go.risksense.com/WC-Adobe-Spotlight.html?utm_source=website&utm_medium=press.

About RiskSense
RiskSense®, Inc. provides
vulnerability management and prioritization to measure and control
cybersecurity risk. The cloud-based RiskSense platform uses a foundation
of risk-based scoring, analytics, and technology-accelerated pen testing
to identify critical security weaknesses with corresponding remediation
action plans, dramatically improving security and IT team efficiency and
effectiveness. For more information, visit www.risksense.com
or follow us on Twitter at @RiskSense.