Security Navigator experts conducted a large -scale analysis of vulnerabilities and revealed a lot of useful information. According to them, about 22 new threats in a variety of industries are revealed around the world daily. And the oldest, still not fixed by relevant vulnerability for more than 20 years!
another interesting information has been obtained. It allows you to find out the average period of vulnerability activity, distribution by the degree of importance, as well as the average term for which the identified threats are corrected by developers.
The age of found vulnerability in terms of criticality
The table above demonstrated the average deadline for eliminating the software developers. Since the statistics are global and collected according to the huge number of vulnerabilities, the data is very averaged. However, even this is how the general trend is visible: more serious vulnerabilities are eliminated faster than “medium” and “low” in terms of criticality.
It is clear that some “critical” vulnerabilities are eliminated much faster than the time indicated in the schedule. In some cases, literally a few days are required to close the gaps. However, most threats, according to Security Navigator statistics, are active from 75 to 300 days, which is quite a long time if we are talking about cybersecurity and all possible risks.
What is even more interesting, according to the results of the study, many vulnerabilities are simply not eliminated after detection. Never. For example, there are about 0.5% of the vulnerabilities that were discovered back in 1999. And they are still not eliminated. They will probably stay with us forever.
Inexpedged vulnerabilities discovered from 1999 to 2022
This happens for a variety of reasons. For example, due to the narrow direction of the threat, detecting it in irrelevant/old versions of software or trite due to lack of company resources that can be distinguished to eliminate gaps.
Recently, we just talked about how Cisco refused to correct critical vulnerabilities in the old, but still used equipment. But the Microsoft Corporation showed itself from the best side, and released security updating even for completely old operating systems, just to protect users from a possible threat.
Let’s hope that as many companies as possible in the future will follow the example of Microsoft and eliminate critical vulnerabilities even in the already unsupported software.