Just 2.6% of 2019's 18,000 tracked vulnerabilities were actively exploited in the wild

While the infosec industry is used to reading (and pumping out) FUD about software vulnerabilities, eye-catching research suggests about 500 vulns were exploited in 2019 – despite 18,000 new CVEs being created.

Kenna Security, a US infosec firm, reckons that despite thousands of vulnerabilities being assigned a Common Vulnerabilities and Exploitations (CVE) tracking number in the year, just 473 of those were actively being exploited in ways likely to impact enterprises.

That represents just 2.6 per cent of vulns reported during the year, shedding new light on the scale of the threat to internet-connected businesses.

Kenna's co-founder and CTO, Ed Bellis, told The Register that the analysis his firm carried out focused on those CVEs with the potential to affect its customers. Even that 473 figure can be reduced further, he said. While the company did not filter down the 18,000 CVEs figure, for example, to look at only the ones affecting enterprise software, the contrast between the two is stark.

"A mere 6 per cent of those 473 vulnerabilities ever reached widespread exploitation by more than 1/100 organizations," asserted Kenna Security's report. "The fact that an exploit is 'in the wild' does not mean it's raging hog wild across the internet."

The report continued: "Exploit code was already available for >50 per cent of vulnerabilities (eventually exploited in the wild) by the time they published to the CVE List. Thankfully for defenders, patch releases coincide with publication for over 80 per cent of those CVEs."

Vulns are out there – but the popular notion that everything is terrifyingly insecure and sometimes only pure luck saves us from data theft, denial-of-service attacks, and more may not be true. Fancy that!

CVE, CNA, CVSS – can you C another acronym?

CVEs, while imperfect, are a widely accepted measure of the number and severity of vulnerabilities in the public domain. Dan Mellinger of Kenna Security added that a large number of CVE numbering authorities (CNAs) have been created over the past few years, fuelling the growth in reported CVEs. Currently there are more than 150 organisations with the power to assign CVEs, though most of those are vendors who only take responsibility for their own products (for example, the UK currently has just three CNAs: Canonical, Snyk, and Sophos, all of whom fall into that bracket).

Academics have also questioned the repeatability and consistency of CVE scoring, with a German university currently running a research project into the Common Vulnerability Scoring System, focusing on why and how different humans allocate scores that produce very different results.

Further, the causes of CVEs vary. While most FUD around tidal waves of vulnerabilities overwhelming infosec bods conjures the image of teams of malicious people mercilessly finding and exploiting vulns to commit further badness, the truth is sometimes more prosaic than that.

Google illustrated this very human failing earlier this month when its Project Zero had a good old moan about crap security patches failing to fully fix CVE-notified problems. Two days later Google Chromium demonstrated what Project Zero was complaining about, through the medium of an old Chromium zero-day it failed to properly patch in November. ®