Research shows overall vulnerability disclosures rose a staggering 26% in 2012; vulnerabilities in SCADA systems protecting critical infrastructure have skyrocketed 600% since 2010

AUSTIN, Texas – February 4, 2013 – NSS Labs today released a new 2012 Vulnerability Threat Report, analyzing data on threat and vulnerability trends over the past 10 years and revealing that after a 5 year decline, the number of vulnerabilities disclosed in 2012 rose 26% compared to 2011. This reversal, along with recent announcements from the Common Vulnerabilities and Exploits Project (CVE) that they plan to change their vulnerability identification syntax in order to classify more than 9,999 per year, indicate that vulnerability numbers are expected to increase steadily, despite massive secure software investment across the software industry.

Watch the Video – The Evolution of 2012 Vulnerability Disclosures By Vendor

NSS’s research yielded several key conclusions:

  • Vulnerabilities in systems protecting critical infrastructure skyrocket: While still a relative low total number (124 in 2012), vulnerabilities within information control systems (ICS) and supervisory control and data acquisition (SCADA) systems has grown by 600% since 2010 and nearly doubled from 74 to 124 from 2011 to 2012 alone. These systems control industrial, infrastructure and facility-based processes such as electric grids, water supplies, power plants, pipeline, etc. – all of which represent high value targets to cybercriminals wishing to cause large-scale disruption or damage. With tools now available to easily identify internet-facing ICS/SCADA systems, NSS expects that the arms race has only just started and we expect security issues with these systems to continue to increase.
  • 1% of Vendors are Responsible for 31% of Vulnerabilities: On average, around one percent of vendors account for 31 percent of the vulnerabilities disclosed per year and only one of the top 10 vendors – Microsoft – managed to decrease its vulnerability disclosures in 2012 compared to its average number of disclosures in the previous decade. This small number of vendors represents the most prevalent software products in everyday private and enterprise use – which is visualized in the video above.
  • The number of vendors affected continues to expand: Vulnerabilities disclosed in 2012 affected over 2,600 products from 1,330 vendors – 73% of these were new vendors who had not had a vulnerability disclosure with the previous two years. These new vendors accounted for 30% of the total vulnerabilities disclosed in 2012. While reoccurring vendors may still represent the bulk of vulnerabilities reported, research shows that the vulnerability and threat landscape continues to be highly dynamic with new vendors continually emerging as technologies (and threats) evolve.
  • Highly critical vulnerabilities combined with low attack complexity pose the greatest threats: In 2012, 9.2% of disclosed vulnerabilities had a CVSS (common vulnerability scoring system) base score of 9.9 or more paired with a low attack complexity. This combination of a highly critical vulnerability that is fairly easy to attack or exploit represents a “perfect match” for cybercriminals who can now do more damage with less skill. The top 10 vendors with this type of vulnerability represent major types of software used every day by consumers, businesses, government agencies and other organizations, including popular web browsers, plugins and media players, or operating systems. One notable exception is Advantech, a producer of industry control/SCADA systems.
  • Disclosures by leading vulnerability purchase programs plummet: Two of the most well recognized and long running vulnerability purchase programs, iDefense VCP and HP Zero-Day Initiative (formerly TippingPoint), both lost more than half of their market share in 2012. This correlates with an overall change in how vulnerabilities (and exploits) are being bought and sold as the marketplace for each is rapidly expanding.

Commentary: NSS Labs Research Director Stefan Frei

“While vulnerabilities in 2012 haven’t returned to the all-time high levels we saw in 2006, it’s significant that after 5 years of decline, the number of disclosed vulnerabilities rebounded sharply and jumped 26% in one year,” said Stefan Frei, Research Director at NSS Labs. “It is not just the number of vulnerabilities that matters, however. The level of criticality, how easily a vulnerability can be exploited, and the types of software they affect are all part of determining how serious a threat any single vulnerability might pose and these are trends we continue to watch. The growing number of vulnerabilities being disclosed in ICS/SCADA systems, in particular, is very concerning – not only for vendors developing these systems, but also for governments around the world that would have to respond to any catastrophic consequences from attacks against critical infrastructures.”