A MERE 5.5 per cent of all vulnerabilities present in computing systems are ever exploited in the wild.
That's according a new study by a joint team of researchers from Cyentia, RAND Corporation and Virginia Tech, who conducted the study in collaboration with Kenna Security, a US-based vulnerability and threat management firm.
In the study, the researchers analysed 76,000 security flaws unearthed between 2009 and 2018 and found that just 4,183 of them, about 5.5 per cent, were actually exploited in the wild by hackers.
According to ZDNet, the researchers could not find any correlation between the published proof-of-concept exploit code on websites and the commencing of exploitation attempts.
Of the 4,183 vulnerabilities that were exploited, only 50 per cent of them had exploit code available on public websites, which suggests that attackers are willing to exploit some specific flaws and can also develop their own exploits if needed.
Another interesting finding of the research was that most flaws exploited in the wild had a high CVSSv2 severity score of 9 or 10. Flaws with CVSSv2 score of 10 are considered both easy to exploit and dangerous.
This study indicates that vulnerabilities with higher CVSSv2 score have more chances of being heavily exploited by attackers, notwithstanding the availability of exploit code on public websites.
The researchers used multiple sources to compile the data for the study. They included NIST's National Vulnerability Database, the SANS Internet Storm Centre, FortiGuard Labs, ReversingLabs metadata, Alienvault's OSSIM metadata, Contagio, Exploit DB, and Secureworks CTU.
Kenna Security provided the research team with a count of the occurrence of each flaw obtained through scanning of hundreds of corporate networks.
The detailed findings of the research are available in a white paper entitled, 'Improving Vulnerability Remediation Through Better Exploit Prediction' presented this week at the 2019 Workshop on the Economics of Information Security in Boston, Massachusetts.
"Our work contributes to the literature on the economics of information systems, and computer science literature on vulnerability remediation," the researchers wrote in the paper.
"In addition, we believe this work has significant implications for decision makers when assessing cyber security risk, to include firms, federal agencies, and national security policy makers," they added. µ
Larry Ellison pays tribute to an 'irreplaceable friend'
The way we found out may surprise you
Air to the throne
Wonder who will get 999.999.999.999