Re: [ISN] Report: MS, Apple, Oracle Are Top Vulnerable Vendors

From: InfoSec News (alerts@private)
Date: Tue Sep 18 2007 - 23:05:45 PDT

Forwarded from: security curmudgeon <jericho (at)>

: By Lisa Vaas
: September 17, 2007
: New IBM research shows that five vendors are responsible for 12.6
: percent of all disclosed vulnerabilities.

: IBM Internet Security Systems' X-Force R&D team released its 2007 
: report on cyber attacks on Sept. 17, revealing that the top five 
: vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities 
: in the first half of the yearor 411 of 3,272 vulnerabilities disclosed.
: Here's the order in which the top 10 vendors stacked up, by percentage
: of vulnerabilities publicly disclosed in the first half of the year:
: Microsoft, 4.2 percent
: Apple, 3 percent
: Oracle, 2 percent


: The vast majority 90 percent of the 3,273 vulnerabilities reported in 
: the first half of the year can be exploited remotely. And more than 
: half  51.6 percent of the vulnerabilities found would give an attacker 
: access to the host after exploitation.
: In other findings, one surprise was that for the first time ever,
: there's been an actual decrease in the number of vulnerabilities
: reported. The total of 3,273 vulnerabilities found represents a 3.3
: percent decrease over the first half of 2006.
: X-Force Director Kris Lamb told eWEEK that there are a few things at
: play that likely have contributed to the decrease. One factor is that
: nowadays researchers have at their disposal much more polished
: bug-finding techniques. One such technique is fuzzing: the use of
: automatic tools to find vulnerabilities.

One other factor, that Lisa Vaas apparently didn't ask about, is how ISS 
X-Force catalogs vulnerabilities, and if their method and standards 
could impact these numbers at all. Take for example, two X-Force 
vulnerability database entries:

Oracle Critical Patch Update - July 2007
18 CVE, 30+ Oracle

Oracle Critical Patch Update - January 2007
30 CVE, 50+ Oracle

So when comparing numbers, you have 2 X-Force entries that equate to 48 
CVE entries that equate to *more than 80* unique and distinct 
vulnerabilities according to Oracle.

I'm not a math or stat guy, but I have a feeling that this could 
seriously skew the statistics above, especially when you consider that 
Microsoft and Apple both have a more distinct breakdown and separation 
in the X-Force database.

Anyone from IBM/ISS care to clarify? Lisa, did you have more extensive 
notes on this aspect that didn't make it in the article perhaps?

security curmudgeon

CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. -

This archive was generated by hypermail 2.1.3 : Tue Sep 18 2007 - 23:19:26 PDT