All you need to know about software vulnerabilities
Posted on January 8, 2025 by Charlie Thompson
Welcome to our technical blog, where we share insights and expertise on a variety of technical topics. This post is part of our ongoing series, specifically aimed at professionals in technical roles, providing in-depth information and practical tips.
We’re all familiar with the concept of applying updates to the various tech hardware we use in our lives – whether that be the latest version of iOS or Android on our mobile phones, or the latest version of Windows or MacOS on a laptop or work PC.
Whilst these big updates to the hardware we use on a daily basis have become the norm and familiar to us, it is just as important to apply updates to the software or applications that we use on them. Whilst some updates will be to launch new features or fixing bugs, by far their most important job is to fix security flaws (vulnerabilities) in the app or software.
What is a software “vulnerability”?
A vulnerability is a known weakness in a piece of software that could be exploited by cyber criminals for malicious purposes.
For example, depending on the complexity of the vulnerability, it may allow an attacker to deploy malicious programmes to a device (such as malware or spyware), or perhaps gain access to data held on it, or even allow an attacker to take remote control of a device.
It is important to note that any piece of software can be vulnerable to attack.
How are vulnerabilities identified?
Vulnerabilities may be identified in a number of ways, for example by the software vendor during testing, or by a curious tech enthusiast who is part of a “Bug Bounty” programme – a reward scheme created by software developers to encourage curious techies to declare identified vulnerabilities for financial compensation instead of exploiting them.
The worst and most impactful way a vulnerability is identified is by a cyber-criminal, who may then go on to exploit the vulnerability before a software vendor has any chance to respond and provide a fix. In these instances, where a vulnerability is already being exploited but there is no update available to fix it, they are known as “Zero-Day” vulnerabilities – i.e. the software vendor has had “zero days” to respond to the vulnerability before it has been exploited.
What is a “CVE”?
You may also have heard of vulnerabilities being called “CVE”s, or as having an ID or number such as CVE-2024-123456. When a vulnerability in a piece of software is identified by the software vendor, they will log the vulnerability on a public list called “CVE” or “Common Vulnerabilities & Exposures”. A CVE number is assigned to the vulnerability, and it is uploaded to a database called the “NVD” or “National Vulnerability Database” which is controlled by the US-based “NIST” (National Institute of Standards and Technology).
NIST assign the CVE a score between 0.0 and 10.0, with 10.0 being the most critical of vulnerabilities. These are published publicly so organisations are aware of them and can take action to mitigate the risk.
In general, anything with a score of 7.0 or higher is considered important enough to warrant fixing as soon as possible.
Why should I or my organisation care about vulnerabilities?
Any piece of software you use across your devices could be vulnerable to exploit. On average, 100 new software vulnerabilities are logged on the NVD every day. In 2023, over 29,000 new vulnerabilities were disclosed on the NVD. In 2024, this exploded to over 38,000, an increase of about 30%.
Exploited vulnerabilities can result in serious damage to an organisation. In 2023, the UK Government NCSC (National Cyber Security Centre) reported that exploited vulnerabilities were the main attack vector in breaches that were disclosed to them.
Furthermore, the UK Cyber Essentials certification stipulates that in order to meet the standard, organisations must patch or mitigate high or critical severity vulnerabilities with scores of 7.0 or higher within 2 weeks of an update becoming available for the vulnerability.
A recent high-profile example was the 2023 exploitation of a vulnerability in the “MOVEit Transfer” application which is a bulk data transfer tool commonly used by organisations to share data outside of the organisation securely. This vulnerability resulted in numerous thefts of data, including employee personal data for big names such as the BBC, British Airways and Boots. This was not a zero-day vulnerability – the software vendor disclosed the vulnerability and provided a software update at the same time, but it was exploited by cyber criminals before a number of organisations applied the patch. This highlights how important it is to apply security updates and patches as soon as they become available.
How do I know if my organisation is impacted?
Your organisation will undoubtedly be impacted by software vulnerabilities. The sheer number of new vulnerabilities being raised every day means it is inevitable that you will be running vulnerable software on your devices at some point.
Ask yourself the following questions and see if you can answer them:
- How many software vulnerabilities are there across my organisation right now?
- Are all my applications having the latest updates applied as soon as they are available?
If you cannot answer these questions, it is time to look at Vulnerability Management services. In general, it is recommended that organisations deploy a vulnerability scanner to identify vulnerabilities across devices, and then utilise an auto-patching service to apply software updates as soon as they become available.
How can ramsac help?
ramsac operate VMaaS (Vulnerability Management as a Service) to both identify vulnerabilities across your workstations and servers, but also actively work towards mitigating as many of them as possible. The service comprises of a set of tools to patch and update software as quickly as possible and a managed service wrapper to report on open vulnerabilities across your estate and provide recommendations on how to fix them.
What is VMaaS and why does your organisation need it?
VMaaS stands for “Vulnerability Management as a Service” and is ramsac’s service offering to help safeguard your organisation from software vulnerabilities.
We use a state-of-the-art tool to identify vulnerabilities across your workstations and servers, automatically update or patch software from a large catalogue of supported software, and proactively work to reduce the overall number of vulnerabilities across your devices that could be exploited by cyber criminals.
