Unpatched legacy vulnerabilities pose threats

Photo by Dan Nelson

Trend Micro Incorporated has released research urging organizations to focus patching efforts on the vulnerabilities that pose the greatest risk to their organization, even if they are years old.

Trend Micro Research found that 22% of exploits for sale in underground forums are more than three years old.

“Criminals know that organizations are struggling to prioritize and patch promptly, and our research shows that patch delays are frequently taken advantage of,” said Tony Lee, head of consulting at Trend Micro Hong Kong and Macau.

“The lifespan of a vulnerability or exploit does not depend on when a patch becomes available to stop it. In fact, older exploits are cheaper and therefore may be more popular with criminals shopping in underground forums. Virtual patching remains the best way to mitigate the risks of known and unknown threats to your organization.”

The report reveals several risks of legacy exploits and vulnerabilities, and a decline in the market for zero-day and N-day vulnerabilities over the past two years. This is being driven in part by the popularity of bug bounty programs, and the rise of Access-as-a-Service – the new force in the exploit market.

Access-as-a-Service has the advantages of an exploit, but all the hard work has already been done for the buyer, with underground prices starting at $1000USD.

These trends are combining to create greater risk for organizations. With nearly 50 new CVEs released per day in 2020, the pressure on security teams to prioritize and deploy timely patches has never been greater – and it’s showing. Today, the time to patch averages nearly 51 days for organizations patching a new vulnerability.