Italian security researchers from the University of Trento - Luca Allodi and Fabio Massacci stated that the the Common Vulnerability Scoring System (CVSS) does not give an answer to the main concern of all companies - whether the vulnerabilities are used in real-time for attacks on computer systems.
"The CVSS could be high, but you may have a low risk of being exploited, while you can get a low CVSS score and still be attacked," Massacci says. "There is not much correlation between the CVSS only and the chance of being attacked." The researchers compared the CVSS scores from the National Vulnerability Database (NVD) with information from the Exploits database, as well as data from Symantec about the vulnerabilities that have been used in actual attacks.
Experts note that the vulnerability exploits that are sold on forums should be addressed in the first place, since the degree of risk for their usage is very high. However, there was less correlation between the existence of a proof-of-concept attack in the Exploit Database and the risk of attack.
In addition, the complexity of the attack, which is one of the metrics in CVSS, has a strong correlation with the probability of exploitation of a vulnerability than the overall assessment of vulnerability.
"If your vulnerability is in an exploit kit, then patch," Allodi says. "And if it is easy to exploit, then patch. But if it is difficult--more complex--to exploit, then it depends on the importance of the software with a vulnerability."
The full report of the researchers will be presented on the Black Hat Security Briefings.
