Forwarded from: security curmudgeon <jericho (at) attrition.org> : http://www.eweek.com/article2/0,1895,2184206,00.asp : By Lisa Vaas : September 17, 2007 : : New IBM research shows that five vendors are responsible for 12.6 : percent of all disclosed vulnerabilities. : IBM Internet Security Systems' X-Force R&D team released its 2007 : report on cyber attacks on Sept. 17, revealing that the top five : vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities : in the first half of the yearor 411 of 3,272 vulnerabilities disclosed. : : Here's the order in which the top 10 vendors stacked up, by percentage : of vulnerabilities publicly disclosed in the first half of the year: : : Microsoft, 4.2 percent : Apple, 3 percent : Oracle, 2 percent [..] : The vast majority 90 percent of the 3,273 vulnerabilities reported in : the first half of the year can be exploited remotely. And more than : half 51.6 percent of the vulnerabilities found would give an attacker : access to the host after exploitation. : : In other findings, one surprise was that for the first time ever, : there's been an actual decrease in the number of vulnerabilities : reported. The total of 3,273 vulnerabilities found represents a 3.3 : percent decrease over the first half of 2006. : : X-Force Director Kris Lamb told eWEEK that there are a few things at : play that likely have contributed to the decrease. One factor is that : nowadays researchers have at their disposal much more polished : bug-finding techniques. One such technique is fuzzing: the use of : automatic tools to find vulnerabilities. One other factor, that Lisa Vaas apparently didn't ask about, is how ISS X-Force catalogs vulnerabilities, and if their method and standards could impact these numbers at all. Take for example, two X-Force vulnerability database entries: Oracle Critical Patch Update - July 2007 http://xforce.iss.net/xforce/xfdb/35490 18 CVE, 30+ Oracle Oracle Critical Patch Update - January 2007 http://xforce.iss.net/xforce/xfdb/31541 30 CVE, 50+ Oracle So when comparing numbers, you have 2 X-Force entries that equate to 48 CVE entries that equate to *more than 80* unique and distinct vulnerabilities according to Oracle. I'm not a math or stat guy, but I have a feeling that this could seriously skew the statistics above, especially when you consider that Microsoft and Apple both have a more distinct breakdown and separation in the X-Force database. Anyone from IBM/ISS care to clarify? Lisa, did you have more extensive notes on this aspect that didn't make it in the article perhaps? security curmudgeon __________________________________________________________________ CSI 2007 is the only conference that delivers a business-focused overview of enterprise security. It will convene 1,500+ delegates, 80 exhibitors and features 100+ sessions/seminars providing a roadmap for integrating policies and procedures with new tools and techniques. Register now for savings on conference fees and/or free exhibits admission. - www.csiannual.com
This archive was generated by hypermail 2.1.3 : Tue Sep 18 2007 - 23:19:26 PDT