O newly published report from the European Network and Information Security Agency (ENISA) reveals that Android tops the list of platforms that have experienced high numbers of critical vulnerabilities between 2018 and 2019. In all, 350 security holes have been discovered. in the operating system. With regard to computer companies, ENISA indicates that Microsoft was the most affected during this period, with 600 vulnerabilities found. In second place on the "podium" is Qualcomm, with around 380, and Google occupies the third position, around 370.
Regarding the most popular vulnerabilities over the two years, ENISA highlights CVE-2018-4878 and CVE-2019-0708 for Microsoft and Linux operating systems and the Adobe Flash program. CVE-2018-8174, at the top of the list, is the most registered security flaw in the period under review, being related to Microsoft Windows Server.
The main source of Common Vulnerabilities and Exposures (CVEs) is National Vulnerability Database (NVD), with several organizations using it as an “authority” when it comes to indicating the most well-known cybersecurity vulnerabilities. However, ENISA found that some of the CVEs found in other security flaw databases that are not up to date on the NVD.
Several organizations rely solely on one source of information regarding the indication of cybersecurity vulnerabilities, which is proving to be a poorly beneficial strategy as it may endanger their systems. “There are inconsistencies and discrepancies between the different sources. Although there is a database with more authority in this area, this does not mean that your information is completely accurate ”, explains the European agency.
Although the Common Vulnerability Scoring System (CVSS), the standard used to assess the risk of security threats found by scoring from 0 to 10, is able to provide benchmarks to gauge, understand and compare the impact of vulnerabilities, ENISA indicates that there are significant differences between version 3 and 2 of this system. The disparities gave rise, for example, to different ratings on the same security hole. The situation can have a negative impact on how organizations manage their risks and make decisions.
The report also reveals that the top 10 categories with the highest number of vulnerabilities in 2018-2019 are led by web browsers, exceeding the 400 registered failures. Next are operating systems, around 300, and content management systems, around 200. The vulnerabilities in online browsers are also the most serious. More than 200 of the cases exceed a CVSS score of 7 and are considered “critical”.