Forwarded from: security curmudgeon <jericho@private> Cc: dailydave@private : http://www.businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm : By Sarah Lacy : June 17, 2005 : : Software meant to protect PCs are now attack targets, revealing a rising : number of flaws -- even more than those of Microsoft products : A new Yankee Group report, to be released June 20, shows the number of : vulnerabilities found in security products increasing sharply for the : third straight year -- and for the first time surpassing those found in : all Microsoft (MSFT ) products. The majority of these weaknesses are Already on unstable grounds with this wording. Journalists (and security folks) need to remember the difference between 'found' and 'reported' and 'disclosed'. : SAME EXCUSE. Last year, researchers found 60 flaws in a variety of : computer-security programs, almost double the 31 vulnerabilities : discovered in 2003, according to Andrew Jaquith, a Yankee senior analyst : who culled a national database of reported software vulnerabilities. *Sigh*, some day I will learn to smile and nod and not feel the need to reply to these studies. Until that time.. Cliff notes: 2004, 60 flaws in computer-security programs 2003, 31 flaws in computer-security programs unnamed nation database of vulnerabilities Culling a database is easy. Making a list of security products to search for in the first place might be a real chore. Moving past that, defining a vulnerability would be a key here, as CVE might group a few issues into one entry, and another database like X-Force or OSVDB may split them out into seperate entries. Last, what about products such as 'tcpdump' or 'ethereal'? Are these classified security products or administrative tools? Without this information, this article is basically fluff that can't be reasonably understood or trusted without the full report. Fortunately, I waited long enough to reply for the details to be released. http://www.yankeegroup.com/public/products/decision_note.jsp?ID=13157 We see that they use CVE and iCat for their data, but do not address the fact that CVE can merge seperate vulnerabilities into a single entry, nor do they address other questions above. iCat uses the CVE database and just adds some metrics. Some interesting points in this research: Yankee Group analysis of a well-known public vulnerability data source, ICAT, suggests that flaw finders have shifted their focus toward security products. 60 flaws in 2004, according to Yankee Group, and they say there is a shift to security product vulnerability research? Compare that to the total number of vulnerabilities released, and this is easily debated. From 2004 to May 2005 in particular, 77 disclosed vulnerabilities affected a wide array of security products. The incidents increased far faster than the rate for Microsoft (see Exhibit 1). This is a little misleading. First and second quarter of 2004 show security products going down, then taking a turn and moving up for third/fourth quarter of 2004, and heading back down for 2005. I'm not a statician, but this doesn't seem like a *trend* to me. Check Point and F-Secure saw a large increase in vulnerabilities in 2004 compared to the previous year, while vendors such as McAfee saw a significant decrease. A quick search (by vuln title) of OSVDB.org shows: 2003 2004 Check Point 1 6 F-Secure 1 10 McAfee 6 7 So two out of three on these statements, not bad! McAfee has had an increase it seems, just not so dramatic as F-Secure or Check Point. : Through May, 2005, 23 software glitches have been counted -- already up : 50% over last year. And that figure doesn't include those yet to come : this summer, when the biggest attacks are usually launched. So far this : year, researchers have only found 22 vulnerabilities in Microsoft's : products. iCat shows 2005 + "microsoft" having 54 entries and OSVDB.org shows 86 so far this year. Listing 22 vulnerabilities for Microsoft is what.. going by Microsoft Security Bulletins? MS05-034 being the latest, and 025-034 possibly being released after the research was completed.. suggests that might be the case. Anyone familiar with MS advisories know they can contain multiple vulnerabilities, even by CVE designation. So is the use of "22 vulnerabilities in Microsoft's products" creatively switching to a different method for counting? So far this research seems poorly done, so I hate to add fuel to the fire.. but if you search OSVDB.org for security products (and use a good list), you will find a lot more than mentioned in this report. There are already 17 vulnerabilities listed in 2005 searching for "firewall", compared to the 23 mentioned by Yankee Group. Branch out into other security products and you are well over 23. : Symantec (SYMC ) has had the most reported vulnerabilities, with 16 : documented last year (see BW Online, 6/17/05, "A New Frontier for : Hackers?"). But so far this year, it has fared better: Through May, only : two vulnerabilities were reported. Err, 43 Symantec issues in 2004... and 10 in 2005.. : BRAGGING RIGHTS. Still, Symantec is a target because it's the market : leader. Hackers generally want to crack programs with the largest : installed base -- thus offering the maximum impact for their exploits. : That's one of the rationales Microsoft has used to explain why its : products seem to have so many reported security glitches. But Jaquith : points out that McAfee, the second-largest security player, decreased : its vulnerabilities over the last year. "This is a leading indicator of : the relative quality of the two products," he argues. 2005, two McAfee reported vulns.. 2004, seven reported. That still leaves almost six months for the numbers to be the same. Hard to predict a trend off such limited data, especially when Yankee Group says: And that figure doesn't include those yet to come this summer, when the biggest attacks are usually launched. : ISS has only had three vulnerabilities in its history, but Noonan calls : it a wake-up call nonetheless. Huh?! Read the damn Yankee Group report! "One firm -ISS- accounted for four of these." Failing that, search a vulnerability database for ISS products and that "three" figure goes out the window. ISS RealSecure / BlackICE Rule Name Field Local [..] Apr 8, 2005 BlackICE/PC Protection Unprivileged User Local DoS Aug 14, 2004 TCP Reset Spoofing Apr 20, 2004 ISS RealSecure Network Sensor Malformed DHCP Packet DoS Apr 8, 2004 BlackICE Insecure Default Configuration Weakness Mar 31, 2004 BlackICE NIC Protection Failure Mar 31, 2004 ISS PAM Component ICQ Protocol Parsing Overflow Mar 18, 2004 ISS Multiple Products SMB Packet Handling Overflow Feb 27, 2004 RealSecure/BlackICE PAM Module SMB Packet Overflow Feb 24, 2004 BlackICE PC Protection blackd.exe Local Overflow Jan 28, 2004 BlackICE PC Protection Upgrade File Permission Weakness Jan 28, 2004 ISS RealSecure Server Sensor HTTPS Request DoS Sep 8, 2003 ISS RealSecure Server Sensor ISAPI Plug-in DoS Sep 8, 2003 BlackICE Defender XSS Detection Evasion Jun 17, 2003 ISS Security Scanner HTTP Remote Overflow Sep 18, 2002 ISS ICEcap Default Password Sep 12, 2002 BlackICE tcp.maxconnections Memory Consumption DoS Jun 19, 2002 BlackICE Agent System Standby Failure Jun 6, 2002 BlackICE / RealSecure Large ICMP Ping Packet Overflow Feb 4, 2002 ISS RealSecure Network Sensor Non-Standard [..] Sep 5, 2001 ISS RealSecure Server Sensor Non-Standard [..] Sep 5, 2001 ISS RealSecure Fragmented SYN Packet DoS Aug 22, 2000 BlackICE UDP Port Block Delay Jun 20, 2000 * ISS Security Scanner Installer Temporary File Symlink Feb 20, 1999 ISS Security Scanner Fingerd Scan Overflow Dec 3, 1998 ISS Security Scanner Command Line Overflow Jan 1, 1998 * Note: ISS purchased BlackIce around May 2001, so this one wouldn't really be held against them =) : DANGEROUS DAWNING. That should have been a wake-up call to other : companies as well. Jaquith advises vendors to ratchet up their internal : testing. Both Symantec and McAfee recently acquired consulting firms : that are experts in launching test attacks before the software is : released. "They both have the tools in-house, it's a question of putting : them to use," he says. Now *this* will prove to be interesting statistics down the road. Will the disclosed vulnerabilities in Symantec products go up/down after the purchase of @stake... _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Wed Jun 22 2005 - 00:02:55 PDT