2017 Sets New Record for Security Vulnerabilities
In 2017, a record-breaking number of security vulnerabilities were discovered. According to a report by Risk Based Security, experts published information on 20,832 issues over the past year.
Key Findings from the Report
- The number of disclosed vulnerabilities in 2017 increased by 31.0% compared to the previous year.
- 39.3% of the vulnerabilities received a CVSSv2 score of 7.0 or higher.
- Of these, 48.5% could be exploited remotely, and 31.5% had working exploits available.
- Half (50.6%) of all vulnerabilities were related to websites, with 28.9% involving cross-site scripting (XSS) issues.
Top Vendors and Products Affected
The top ten vendors with vulnerabilities rated between 9.0 and 10.0 on the CVSS scale included:
- Google (503 issues)
- SUSE (301)
- Canonical (285)
- Red Hat (274)
- SGP (257)
- Adobe (256)
- Mozilla (246)
- Samsung (228)
- Oracle (201)
- Xerox (198)
The top ten products with the most critical vulnerabilities were:
- Google Pixel/Nexus devices (354 vulnerabilities)
- Ubuntu (285)
- SilentOS (257)
- Red Hat Enterprise Linux (253)
- Firefox (246)
- SUSE Linux Enterprise Desktop (226)
- Samsung mobile devices (226)
- SUSE Linux Enterprise Server (197)
- OpenSUSE Leap (196)
- FreeFlow Print Server (191)
Disclosure and Patch Statistics
- At least 44.8% (9,335) of vulnerability disclosures were coordinated with the vendor.
- Only 18.6% (3,875) were uncoordinated disclosures.
- 5.9% of vulnerabilities were disclosed through bug bounty programs.
- Updates or patches were released for 72.8% of vulnerabilities discovered in 2017, but 23.2% remain unpatched.
SCADA Vulnerabilities
Only 1.7% of all vulnerabilities were found in SCADA products, down from 2.8% in 2016. Of these SCADA vulnerabilities:
- 52.2% could be exploited remotely
- 73.5% affected product integrity
- 61.3% were related to improper input validation