[ISN] A banner year for security bugs

From: InfoSec News (alerts@private)
Date: Thu Oct 12 2006 - 02:01:54 PDT


http://news.com.com/A+banner+year+for+security+bugs/2100-1002_3-6124541.html

By Joris Evers
Staff Writer, CNET News.com
October 11, 2006

It isn't over yet, but 2006 is already a record year when it comes to 
security vulnerabilities.

There is, however, a silver lining: A smaller chunk of the flaws are 
high risk.

Last year, researchers at Internet Security Systems identified 5,195 
vulnerabilities in software. On Monday, the count for this year stood at 
5,450, according to the Atlanta-based company's survey, and the 
projected total for the whole of the year is almost 7,500 bugs.

"Three-quarters through the year, 2006 is looking to be a huge jump in 
terms of security vulnerabilities," said Gunter Ollmann, director of 
X-Force, the research and development group at ISS.

The number of problems found has increased as bug hunters and software 
makers have become more skilled at finding them and as access to 
automated audit tools has improved, Ollmann said. Also, there is more 
code to comb for security holes, because people use more complex 
software than ever.

Atlanta-based ISS, which is being acquired by IBM, predicts there will 
be a 41 percent increase in confirmed security faults in software 
compared with 2005. That year, in its own turn, saw a 37 percent rise 
over 2004.

But there is some good news as well: While there will be an overall jump 
in the number of security vulnerabilities, it will be accompanied by a 
fall in the percentage of bugs rated "critical" or high-risk, Ollmann 
said.

According to Ollmann, severe flaws like these accounted for 28.4 percent 
of all security holes last year. By comparison, they make up only 17 
percent of the flaws identified this year up to Monday, and that 
percentage is expected to be the same for the full year.

"This is probably the most positive part of the vulnerability trend," 
Ollmann said. "In previous years, there was an upward trend in the 
number of critical and high-risk vulnerabilities."

ISS's description of a rise in flaws is backed up by other security 
companies. VeriSign's iDefense and eEye Digital Security also said they 
have seen an increase in vulnerabilities this year. Another indication 
of an increase comes from Microsoft's security bulletins. The software 
maker issued 55 in the first three quarters of this year, compared with 
45 in all of 2005.

In addition, Symantec's Internet Security Threat Report says 2,249 new 
vulnerabilities were documented in the first six months of 2006, up 18 
percent over the second half of 2005. That's the highest number ever 
recorded for a six-month period, the security company said. Eighty 
percent of newly disclosed issues were considered easily exploitable, 
and the window of exposure for enterprise flaws was 28 days.

More security vulnerabilities mean more opportunities for cybercrooks 
and more headaches for people creating and applying security patches, 
experts said.

"You have to protect against every single one of those vulnerabilities, 
while an attacker needs to find only one to stage an attack," Ollmann 
said. "The more vulnerabilities that are disclosed, the more at risk you 
are."


Warming up to fuzzers

Critical and high-risk vulnerabilities are those that could let a 
network worm spread by itself, or could allow an anonymous attacker to 
remotely gain control over a computer without the user taking any 
action. As well as a percentage drop, ISS projects a fall in the 
absolute number of these types of bug in 2006, which anticipate 1,265 
compared with 1,475 last year.

The drop in the most serious flaws can be attributed, in part, to 
better-built software. "Software is becoming more secure," Ollmann said. 
Also, many bug hunters have started using automated tools called 
'fuzzers,' which often turn up flaws that end up being rated 
medium-risk," he said.

For example, a fuzzing tool could be used to test how a specific 
application handles a certain file format, such as the JPEG and GIF 
image formats. If that application--say, a Web browser--returns an 
error, the error could point to a vulnerability that could be used as 
the basis for an attack. To exploit this flaw, however, the attacker 
will often have to trick the victim into opening a malformed file.

Fewer of the most-serious flaws are being discovered in operating 
systems, said Steve Manzuik, an eEye representative. However, there are 
more being uncovered in other kinds of software.

"We have seen an increase in critical client-side flaws such as ones in 
Internet Explorer, QuickTime, and Office applications," he said.

The overall dip in severe flaws may be short-lived, Ollmann said. When a 
major new software product ships, the count of critical bugs typically 
spikes, he noted. In January, Microsoft's new Windows Vista, the 
operating system successor to XP, is slated to be broadly available. 
Microsoft has tagged Vista as the "most secure version of Windows ever."

"I think that certainly in the first half of 2007, we will see an 
increase in percentage terms of high-risk and critical vulnerabilities," 
Ollmann said. "That will most likely be associated with the release of 
Vista."

It isn't just the most serious flaws that people need to worry about, 
noted Ken Dunham, director of the rapid response team at iDefense. "This 
year has been unprecedented in terms of zero-day attacks," he said. 
"There is a much larger number of medium-level vulnerabilities today, 
and many of those are being used in attacks."

Zero-day attacks use previously unknown flaws that have yet to be fixed. 
Many of them take advantage of the type of security hole that can be 
found using a fuzzer.

Such mid-level vulnerabilities are being used in two main types of 
attacks. Consumers are targeted via malicious Web sites that try to 
silently install spyware or other nefarious software such as keystroke 
loggers and bots, Dunham said. Businesses are being targeted directly, 
with small-scale attacks that use rigged Word documents, for example, he 
said.

"Consumers can count on Web-based attacks, while the scary part for 
organizations is that they are being targeted specifically by certain 
attackers," Dunham said.

Copyright 1995-2006 CNET Networks, Inc. All rights reserved.


_________________________________
Visit the InfoSec News store!
http://www.shopinfosecnews.org 



This archive was generated by hypermail 2.1.3 : Thu Oct 12 2006 - 02:13:30 PDT