Friday, March 29, 2024
HomeSECURITYSome current vulnerabilities date back to the last millennium

Some current vulnerabilities date back to the last millennium

-


Some current vulnerabilities date back to the last millennium

Really for so many years nobody has eliminated gaps in security?

Specialists Orange Cyberdefense conducted a large-scale analysis of vulnerabilities in their report “ Security Navigator 2023 and revealed a lot of useful information. According to their data, about 22 new threats in a variety of industries are detected every day around the world. And the oldest, still unpatched actual vulnerabilities are over 20 years old!

Other interesting information has also been received. It allows you to find out the average period of activity of vulnerabilities, the distribution by importance, as well as the average time for which identified threats are fixed by developers.



Age of found vulnerabilities by criticality

The table above shows the average time it takes software developers to fix vulnerabilities. Since the statistics are global and collected on a huge number of vulnerabilities, the data is heavily averaged. However, even so, a general trend is visible: more serious vulnerabilities are eliminated faster than “medium” and “low” ones in terms of criticality.

It is clear that some “critical” vulnerabilities are eliminated much faster than the time indicated in the graph. In some cases, it takes just a few days to close the gap. However, most threats, according to Security Navigator statistics, are active for 75 to 300 days, which is quite a long time if we are talking about cybersecurity and all possible risks.

Even more interesting, according to the results of the study, many vulnerabilities are simply not fixed after discovery. Never. For example, there are about 0.5% of vulnerabilities that were discovered back in 1999. And they still haven’t been fixed. They will probably stay with us forever.



Unpatched vulnerabilities discovered from 1999 to 2022

This happens for a variety of reasons. For example, due to the narrow focus of the threat, its detection in outdated/old software versions, or simply because of the lack of company resources that can be allocated to fix the gap.


Recently we were just talking about how the company Cisco refused to fix critical vulnerabilities in old, but still used equipment. But Microsoft Corporation at one time showed her best and released a security update even for very old operating systems, just to protect users from a possible threat.

Let’s hope that as many companies as possible in the future will follow the example of Microsoft and fix critical vulnerabilities even in software that is no longer supported.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular