Re: [ISN] Report: MS, Apple, Oracle Are Top Vulnerable Vendors

From: InfoSec News (alerts@private)
Date: Tue Sep 18 2007 - 23:05:45 PDT


Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://www.eweek.com/article2/0,1895,2184206,00.asp
: By Lisa Vaas
: September 17, 2007
:
: New IBM research shows that five vendors are responsible for 12.6
: percent of all disclosed vulnerabilities.

: IBM Internet Security Systems' X-Force R&D team released its 2007 
: report on cyber attacks on Sept. 17, revealing that the top five 
: vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities 
: in the first half of the yearor 411 of 3,272 vulnerabilities disclosed.
:
: Here's the order in which the top 10 vendors stacked up, by percentage
: of vulnerabilities publicly disclosed in the first half of the year:
:
: Microsoft, 4.2 percent
: Apple, 3 percent
: Oracle, 2 percent

[..]

: The vast majority 90 percent of the 3,273 vulnerabilities reported in 
: the first half of the year can be exploited remotely. And more than 
: half  51.6 percent of the vulnerabilities found would give an attacker 
: access to the host after exploitation.
:
: In other findings, one surprise was that for the first time ever,
: there's been an actual decrease in the number of vulnerabilities
: reported. The total of 3,273 vulnerabilities found represents a 3.3
: percent decrease over the first half of 2006.
:
: X-Force Director Kris Lamb told eWEEK that there are a few things at
: play that likely have contributed to the decrease. One factor is that
: nowadays researchers have at their disposal much more polished
: bug-finding techniques. One such technique is fuzzing: the use of
: automatic tools to find vulnerabilities.

One other factor, that Lisa Vaas apparently didn't ask about, is how ISS 
X-Force catalogs vulnerabilities, and if their method and standards 
could impact these numbers at all. Take for example, two X-Force 
vulnerability database entries:

Oracle Critical Patch Update - July 2007
http://xforce.iss.net/xforce/xfdb/35490
18 CVE, 30+ Oracle

Oracle Critical Patch Update - January 2007
http://xforce.iss.net/xforce/xfdb/31541
30 CVE, 50+ Oracle

So when comparing numbers, you have 2 X-Force entries that equate to 48 
CVE entries that equate to *more than 80* unique and distinct 
vulnerabilities according to Oracle.

I'm not a math or stat guy, but I have a feeling that this could 
seriously skew the statistics above, especially when you consider that 
Microsoft and Apple both have a more distinct breakdown and separation 
in the X-Force database.

Anyone from IBM/ISS care to clarify? Lisa, did you have more extensive 
notes on this aspect that didn't make it in the article perhaps?

security curmudgeon


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com



This archive was generated by hypermail 2.1.3 : Tue Sep 18 2007 - 23:19:26 PDT