April Vuln of the Month: The 100 Club
Share with Your Network
Two years and two months ago, we launched our Vuln of the Month series. This regular blog has offered us a chance to spotlight CVEs that warrant your attention if you happen to harbor those vulns somewhere in your infrastructure but haven’t paid much attention to them.
Things change, and as all future blogs related to vulnerability management and risk-based prioritization soon will appear on Cisco’s security blog, we’re retiring our Kenna Security Vuln of the Month series with this, our 26th entry. In this final edition, we’re focusing on the 381 published CVEs that have earned a perfect 100 Kenna Risk Score since NIST launched the National Vulnerability Database (NVD) way back in 1999.
They’re members of The 100 Club–a rogue’s gallery of worrisome security weaknesses whose enrollment stretches back 24 years. They are the worst of the worst. Fewer than one quarter of 1 percent of all CVEs earn a risk score of 100. (By our count, the number of published CVEs is close to reaching 200,000.)
The who, what, when and why of top-scoring CVEs
We crunched the numbers on this gang of 381 to bring you some (hopefully) meaningful insights into The 100 Club. Here’s what we found.
Who. First, we looked at which vendors were responsible for publishing the software with the most vulns with a Kenna Risk Score of 100.
The name of the “winner” should come as little surprise to security teams and their IT counterparts. It’s Adobe, whose products have long been (and continue to be) the subject of vulnerability advisories and are favorite targets of attackers. Not far behind is Sun Microsystems, though Sun’s heyday likely involved vulns that are today more “archival” in nature since Sun was acquired by Oracle 13 years ago. Google is in third place, followed by Microsoft. Microsoft, by the way, demonstrates that high volumes of vulnerabilities don’t always translate into high volumes of 100-worthy CVEs. (Seriously, nobody can touch Microsoft for sheer numbers of published vulns each month–4X more than its closest competitor.)
We should note, however, that no provider is entirely immune from having its products branded as vulnerable. (And yes, that’s Cisco appearing in ninth place.) In the vast majority of cases, the existence of a vulnerability doesn’t necessarily suggest a cavalier disregard for security. Frankly, it boils down to a numbers game. When your software encompasses 65 million lines of code (lookin’ at you, Chromium), or more than 100 million lines (cheers, Windows!), there are bound to be exploitable corners. In fact, research we’ve done with Cyentia Institute found that 95% of assets have at least one highly exploitable vulnerability.
What. The specific applications or platforms represented in The 100 Club are equally revealing. Topping the list is Chrome, the world’s most popular web browser and a Vuln of the Month veteran. Then there are the Java entrants…the runtime engine (jre) and developer kit (jdk), which are everywhere. And as expected, three Adobe products appear here (though Flash Player finally gave up the ghost in 2021.)
Why do these products beget so many high-stakes vulns, or at least so many relative to other products? Ubiquity is a prime reason. We often find out about a high-risk vuln because a researcher uncovered it. And for reasons that should be obvious, researchers invest a lot more time looking at massively popular products (the more likely targets of attackers) than they do on software that represents a far smaller attack surface. Chrome, Adobe software, Java platforms, Apache Struts and Tomcat….they’re big fish for attackers, and thus are a key focus for people who are trying to keep attackers at bay.
When. The chart below may resemble an angry mountain range, but it documents the rise and fall of CVEs with a risk score of 100. You’ll see on the left that there wasn’t much activity from the early to mid 2000s. This correlates to the meager number of overall CVEs published in those early years. But the rest of the chart does not sync with CVE growth overall, because starting in the late 2000s, CVE volumes saw explosive growth year over year. Yet the average number of CVEs that earn a risk score of 100 has generally remained around two per month, on average.
(BTW, no matter how old a vulnerability is, don’t believe for a second that attackers will forget about it. If you leave a high-risk vuln unpatched, there’s always a chance someone will come after it–and after you.)
Why. Why does a CVE rank so highly? Many reasons. A vulnerability may be easily accessible and require no authentication to exploit it. It may be exploitable remotely via malware that’s installed when a user responds to the wrong phishing message. It may reside in software with a particularly large installed base (see: Chrome, Google). Or it may hold the potential to do a lot of damage if and when it’s successfully exploited, from stolen data to complete takeover of systems. Those are the kinds of technical factors that form the basis of the Kenna Risk Score. And even though CVSS scores rely on technical factors and little else, we don’t stop there.
Beyond technical criteria, Kenna weighs critical contextual factors that provide a clearer, more comprehensive picture of the risk a vulnerability poses. Kenna answers questions like: Have exploits already been observed? Does exploit code exist? Are analysts picking up on chatter that might signal interest in targeting this vuln is growing? Assuming exploits have been observed, what industries are attackers targeting?
The answers to these questions help you determine the relative risk this vuln may pose to your organization, and they can help guide your remediation priorities based on all the other fires you’re expected to put out. As a result, you’ll spend less time chasing vulnerabilities that don’t pose a clear and present danger to your business, and more time focusing on the vulnerabilities–and the IT and security initiatives–that matter most.
That’s risk-based prioritization. Kenna Security pioneered it, and now Cisco is taking on that mission to evolve risk-based prioritization as a bedrock enabling feature of security resilience.
It’s been a pleasure sharing this monthly blog with you for the past two years. We’re excited to see what new topics we’ll explore together.
For more insights related to vulnerability management, risk-based prioritization, and related topics, visit Cisco’s security blog page.
