A Third of Known Computer Security Flaws Have No Solution

In the first half of 2019, analysts at computer security firm Risk Based Security (RBS) enumerated a total of 11,092 flaws in computer systems (known as vulnerabilities) that could be exploited by a hacker to take unauthorized actions in another person’s or organization’s system. Of the total number of flaws, there is no known solution for just over one-third of known vulnerabilities.

More than half (53%) of reported vulnerabilities can be exploited remotely, and about a third (34%) have publicly available hacks (technically known as exploits). Web-related vulnerabilities accounted for nearly 55% of the total for the first half of the year.

The web-related flaws include targeting open, unsecured databases left unprotected. Such exploits accounted for just 149 breaches in the first six months of this year, but more than 3.2 billion breached records.

Brian Martin, vice-president of vulnerability intelligence for Risk Based Security, said:

34% of vulnerabilities do not have a solution, which may be because vendors are not patching. This can occur when the researcher has not informed the vendor, so they don’t know about the vulnerability.

The RBS midyear vulnerability report indicates that 14.7% of the reported vulnerabilities received high or critical scores on a scale known as the common vulnerability scoring system. The number of these types of flaws was down slightly year over year; however, the severity levels remain significant and require organizations to remain vigilant.

RBS identified the software vendors that have reported the most vulnerabilities in the first half of 2019. Open-source, free operating system Debian jumped from fourth in the first half of 2018 to first this year with 602 vulnerabilities reported. SUSE, another vendor of open-source (but not free) software, reported 562 vulnerabilities and held on to its second-place ranking.

Oracle ranked third again in 2019 with 533 vulnerabilities, and IBM moved up the ladder from seventh to fourth with 507 vulnerabilities. Others in the top 10 included Microsoft, Google, Red Hat, Cisco and Adobe. The top five vendors accounted for 24.1% of all vulnerabilities reported in the first half of this year.

Bug bounty programs that offer payments to developers who find flaws in systems accounted for nearly 12% of the vulnerabilities reported in the first six months of 2019.

