As we examined in our previous article “Predicting Vulnerabilities in Compiled Code”, there are over 1,000 vulnerabilities that are discovered every month. Hackers find a way to exploit these vulnerabilities, and the amount of monetary damage resulting from cyber crime keeps growing.

“Patch Tuesday” is a term widely used between IT and security teams to describe the time when Microsoft releases the latest updates. The ones who participate in it know the true cost of the patching cycle, whether it’s getting the approval, designing the plan, or dealing with the outcome.

Prognosis: Vulnerability Proliferation

With the increase of software usage worldwide, it’s only natural that a growing number of vulnerabilities will be discovered.

1999 was the inflection point for vulnerability listings. Prior to that, a variety of security tools offered different ways to categorize software security issues. As there was no standardized protocol for listing a vulnerability, inconsistencies were inevitable. In that year, the concept of common vulnerability and exposure (CVE) was introduced as a standard to represent software security flaws.

It’s not uncommon to find the traditional vulnerability assessment report buried under the CISO family picture, compliance books, and his latest blood pressure test. These reports highlight the never-ending battle between security and IT about what’s more important: risks to servers and endpoints, or keeping the environment up-to-date and secured. There are even problems within the ranks of each unit. Dysfunctional processes, lack of efficient communication, and rudimentary tools put even more pressure on the CIO and CISO.

As detection of backdoor vulnerabilities to the Android Operating System present increasingly lucrative potential, locating them has now become somewhat of a treasure hunt for hackers.

In September 2019, a vulnerability has been discovered in EXIM, an open-source mail transfer agent,
which is a program responsible for receiving, routing and delivering email messages.

So you’re at that warm, fuzzy place CISOs and IT professionals know all-too-well: There are countless vulnerabilities your organization is “theoretically” vulnerable to, for which you’d like to start implementing patches immediately to increase security, but on the other hand, you’re concerned about patches and new version releases breaking users’ functionality.

In July 2019, a severe vulnerability was found in VLC, an extremely popular media player, used to playback different types of videos on computers and mobile phones. VLC boasts impressive total downloads of over 3 billion, and the vulnerability has a highly critical CVE score of 9.8, making this one of the most dangerous and substantial cyber threats to date.