• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   2016 Review of Vulnerabilities

2016 Review of Vulnerabilities

  • Posted on:March 23, 2017
  • Posted in:Security, Vulnerabilities
  • Posted by:
    Jon Clay (Global Threat Communications)
0

In our 2016 security roundup report, A Record Year for Enterprise Threats, we talked about the vulnerability landscape during the year and what trends we saw.

Let’s look at some of the key aspects of what we saw in 2016.

1. Trend Micro’s Zero Day Initiative (ZDI) with support of their 3,000+ independent vulnerability researchers, discovered and responsibly disclosed 678 vulnerabilities in 2016. There were some interesting trends, as can be seen in the figures below:

 

 

  • First is that Microsoft has continued to minimize the number of vulnerabilities within their products over time. That’s good news, but the not so good news for Microsoft was the 2,100 percent increase in Edge vulnerabilities. This was further supported at Pwn2Own 2017, as Edge was the most exploited browser in the contest.
  • Second was a drop in overall Adobe vulnerabilities, but Acrobat Reader was the second in having the most vulnerabilities disclosed for 2016.
  • 0-Days, which are vulnerabilities that had active attacks associated with them prior to a patch being released, were down in 2016 from 2015. That is good news but we also saw recently with the hack of the CIA that there are likely many 0Days out there that have not been disclosed.
  • Android saw a large increase (206 percent) in the number of vulnerabilities disclosed for them. Trend Micro researchers submitted 54 vulnerabilities to Google for Android in 2016.
  • A 421 percent increase in SCADA vulnerabilities were disclosed in 2016 which isn’t boding well for these manufacturers due to the challenges with managing updates to these devices.

2. Within the exploit kit market we saw a number of changes take place. The Angler exploit kit ceased operations after a number of actors were arrested in Russia. Neutrino tried to take its place but that appeared to be fleeting as can be seen in the chart below.

 

3. We also saw a decrease in the number of new vulnerabilities being added to exploit kits in 2016, which does not necessarily mean exploit kits are less effective. We regularly see older vulnerabilities used within exploit kits because these still appear to be working to compromise systems. What we did see occur in 2016 was a higher use of ransomware being used within exploit kits as the primary infection option.

While we saw both increases and decreases in the number of vulnerabilities from respective vendors, what is true is that threat actors will continue to utilize exploits to infect their victims.  People and organizations should not assume that because we saw some decreases that they can take longer times to patch their systems.  Patch management is as critical today as ever before and the use of virtual patching can be used to allow more time to manage the patch from the vendor.

In the cases where ZDI managed the disclosure process, they were able to protect TippingPoint NGIPS customers on average 57 days prior to the vendor’s release of their patch.

Trend Micro also offers virtual patching within our Deep Security, Deep Discovery, and Vulnerability Protection solutions.

 

Related posts:

  1. April 2016 Microsoft and Adobe Security Patches: Badlock Not So Bad and Adobe Fully Closes Pwn2Own 2016 Vulnerabilities
  2. ZDI Update: Microsoft and Adobe Patch Tuesday for May 2016 and Microsoft Closes Pwn2Own 2016 Vulnerabilities
  3. The November 2016 Security Update Review
  4. The December 2016 Security Update Review

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Fujitsu and Trend Micro Demonstrate Solution To Secure Private 5G
  • Trend Micro Receives 5-Star Rating in 2021 CRN® Partner Program Guide
  • Smart Factory Cyber Attacks Knock Out Production for Days
  • Eliminate Hesitations: Security Simplified For Those Building In The Cloud
  • Nuffield Health Depends on Managed XDR with Trend Micro Vision One
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.