ChannelLife New Zealand - Industry insider news for technology resellers
Story image

Action1 launches inaugural software vulnerability report for 2024

Thu, 20th Jun 2024

Action1 Corporation has released its inaugural Software Vulnerability Ratings Report for 2024. The report aims to equip Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) with strategic insights into their software ecosystems. It evaluates software vendors based on their security track record to enable more informed procurement decisions.

The release follows ongoing delays in the National Vulnerability Database (NVD) regarding vulnerability data enrichment. Action1's report provides timely insights into vulnerability trends within commonly used enterprise software categories. It focuses particularly on exploitation rates and Remote Code Execution (RCE) vulnerabilities.

"With the NVD's delay in associating Common Vulnerabilities and Exposures (CVE) identifiers with CPE (Common Platform Enumeration) data, our report comes at a critical moment, providing much-needed insights into the ever-evolving vulnerability landscape for enterprise software," said Mike Walters, President and co-founder of Action1. "Our goal is to arm key decision-makers with essential knowledge so that they can prioritise their efforts in vulnerability monitoring using alternative approaches while the traditional reliance on NVDs is challenged."

The report underscores the urgency for the cybersecurity community to share information and build stronger relationships among private cybersecurity firms, academic institutions, and other threat intelligence platforms. "In light of the NVD crisis, the cybersecurity community needs to share information and build stronger relationships amongst private cybersecurity firms, academic institutions, and other threat intelligence platforms to facilitate holistic and timely data sharing so that all organisations can enhance their security posture," added Walters.

Researchers at Action1 discovered a notable increase in the total number of vulnerabilities across all enterprise software categories. The report delves into five key trends based on exploitability rates and the dynamics of RCE vulnerabilities within enterprise software categories and specific applications.

One significant finding indicated a high exploitation rate for load balancers such as NGINX (100%) and Citrix (57%). According to the report, vulnerabilities in load balancers pose significant risks as a single exploit can provide attackers with broad access or disruption capabilities against targeted networks.

Another finding highlighted the increased exploitation rate of Apple operating systems. MacOS and iOS showed an increased exploitation rate of 7% and 8%, respectively. Despite MacOS reducing its total vulnerabilities by 29% from 2023 to 2022, exploited vulnerabilities increased by over 30%, underscoring targeted attacks on iOS devices.

The report also found a 1600% surge in critical vulnerabilities for Microsoft SQL Server (MSSQL) in 2023, each being an RCE. This signals a significant risk with attackers quickly discovering and exploiting new RCE vulnerabilities in MSSQL.

Additionally, MS Office's critical vulnerabilities accounted for nearly 80% of the overall annual vulnerability count, with 50% being RCEs. Microsoft's exploitation rate rose to 7% in 2023, compared to 2% in 2022, demonstrating how attackers exploit user-facing software prone to human error.

A further area of concern identified in the report was Edge security. Over three years, Edge experienced a spike in RCE vulnerabilities at 17% in 2023, following a 500% growth in 2022. Edge also reported a 7% exploitation rate in 2023, representing a 2% increase from the previous year.

The Software Vulnerability Ratings Report 2024 analysed data from 2021, 2022, and 2023. It drew insights from the NVD and cvedetails.com, quantifying vulnerabilities and providing a comprehensive view of how the threat landscape is evolving over time.

The report utilised an 'exploitation rate' metric, developed by the Action1 research team, to demonstrate the ratio of exploited vulnerabilities to the total number of vulnerabilities. The metric aids enterprises in assessing risks associated with a vendor's software by indicating susceptibility to exploitation and the comprehensiveness of their vulnerability management programmes. Additionally, Action1 tracked RCE vulnerabilities, which allow attackers to execute arbitrary code remotely, potentially compromising critical systems.

These findings indicate the continuing evolution of threats and the necessity for proactive security strategies, including timely OS and third-party application patching. Action1 experts recommend enterprises review their technology stack, anticipate future vulnerabilities based on trends, and continuously improve their security posture to adapt to new threats rapidly.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X