I saw the headline yesterday, “Security Experts Warn Firms of the Higher Risk of Lower-Risk Flaws.” It is the kind of headline that makes one do a double-take (the mark of a good headline, I suppose). But can it be true? Well, on the one hand, it could be justified simply by asserting that the risk associated with low risk vulnerabilities has simply increased from, say, really really low to simply low. This is sort of like when studies assert that your risk of getting cancer has quadrupled when it goes from .01% to .04%.
But there is an implied change of impact here, and the gist of the article is that those vulnerabilities that are listed as medium or low risk in security advisories are being combined to compromise systems at a level previously met by high risk vulnerabilities. Its pretty ingenious, actually, but I think I’ll hold out for a few examples before I weigh in completely. And even then it is not clear to me that the risk can meet or exceed the risk associated with high risk vulns.
Interesting to keep up with, however.