contact us

Adobe Spotlight Research Report – 2018 Vulnerability Weaponization Top Concern

by | Apr 23, 2019

Adobe Spotlight Research Report – 2018 Vulnerability Weaponization Top Concern

At RiskSense, part of our mission is to remove the data overload that boils down to reducing the workload on security and IT teams. We take the thousands of vulnerabilities generated by scanners and distil it down to the handful of issues with real security impact to the organization – the vulns that are weaponized, being exploited in the wild, and that allow remote code execution or privilege escalation to occur.

However, this style of analysis also has the equally important job of exposing pockets of risk that might not be getting enough attention. This is exactly what we found in our Adobe Spotlight Report, which covers over 20 years of data across Adobe products. The full report, which you can read here, contains a wealth of information including yearly trends in vulnerabilities, weaponization, the most common coding errors that lead to vulnerabilities, the most vulnerable products, and how vulnerabilities and weaknesses are mapped to specific types of threats.

However, one of the most surprising findings was also the most recent. In terms of weaponization, 2018 was the most dangerous year in Adobe’s history.

Vulns Are Down But Threats Are Up
Since security and IT teams are routinely swamped with vulnerabilities and patching, it is natural to view a drop in vulnerabilities as good news. And if we only look at the top-level numbers of vulnerabilities, it’s easy to conclude that things are trending in the right direction.

Our analysis shows that the high-water mark came 2016 when Adobe had 538 total CVEs. However, Adobe seemed to get things under control in 2017 and 2018 with 359 and 374 CVEs respectively.

However things get a lot darker when we analyze weaponization rates. The overall number of threats and weaponization rates (the percentage of vulnerabilities with associated threats) had been steadily decreasing from 2015 through 2017. And then 2018 came along a broke every record of weaponization in the Adobe’s history . 2018 had the highest total number of weaponized vulnerabilities (177), and by far, the highest percentage of vulnerabilities that were weaponized (47%) within any given year. This means that in the real world things remained very dangerous for Adobe products even though the overall vulnerability rates were down.

Windows of Attacker Opportunity
Once we know that there are vulnerabilities andattackers have the code to exploit them, it then becomes a race against the clock to make sure teams can patch the issues before attackers can exploit them. Unfortunately, 2018 once again stood out in a bad way.

As part of our analysis, we compared when a vulnerability is first reported, when exploit code is first reported, when a vendor patch is available, and when the vulnerability is added to the National Vulnerability Database (NVD). Obviously, it is a serious concern anytime exploit code is available in the wild before a patch. Of the total 177 Adobe threats observed in 2018, 50 were weaponized before a patch was available . This was, once again, by far the most of any year in Adobe’s history.

Massive Time Lag Between Adobe and NVD
As part of the Adobe Spotlight Report, we also analyzed the latency between when a vulnerability is first reported and when it is added to the NVD. Given that many organizations rely on the NVD for tracking vulnerabilities, any lag between the vendor and NVD can further expand an attacker’s window of opportunity.

While, 2018 was not the worst year in terms of NVD latency, it still left much to be desired. 2012 had the distinction of having the worst overall latency with an average of 24 days, but 2018 came in second with an average of 21 days.

NVD Latency

However, the lag was the most pronounced for those 50 vulnerabilities that were weaponized before a patch was available. For those specific vulnerabilities, the lag between Adobe and NVD publication was a staggering 54 days. This once again highlights why it is important for organizations to not rely solely on the NVD for tracking vulnerabilities – monitoring vendor sites is crucial.

Key Takeaways
Our analysis shows that 2018 was an exceptional year for Adobe vulnerabilities and not in a good way. Certainly not all of the blame should fall on Adobe, as they have made progress in terms of reducing the overall number of vulnerabilities compared to the highs of 2016. However, the spike in weaponized vulnerabilities, and specifically those that were weaponized before a patch was available is a cause for concern. Also the lag in getting weaponized vulnerabilities added to the NVD should be top of mind for the industry.

We will naturally need to track these issues through 2019 to see if 2018 remains an outlier or is part of a larger trend. However, while this type of backward-looking analysis is interesting, we must remember that real security happens in the present. Security and IT teams need the ability to see these issues in real time in order to not only prioritize their response, but also find pockets of risk that they may not be aware of. This is our mission at RiskSense. If you would like to learn more or see a demonstration, please contact us.