Re: [ISN] Majority of vulnerabilities now being exploited

From: InfoSec News <alerts_at_private>
Date: Thu, 9 Jul 2009 08:06:49 -0500 (CDT)
Forwarded from: security curmudgeon <jericho (at) attrition.org>

To: InfoSec News 
Cc: johnd (at) techworld.com
Subject: Re: [ISN] Majority of vulnerabilities now being exploited


: http://www.techworld.com/security/news/index.cfm?newsID=118749
: 
: By John E. Dunn
: Techworld
: 07 July 2009
: 
: The number of exploits being written to target specific software 
: vulnerabilities could be at all-time highs, new threat figures have 
: suggested.
: 
: Fortinet's Threatscape report for June, which actually covers the 
: period between 21 May and 20 June, reveals that of the 108 new 
: vulnerabilities added to its firewall intrusion detection system in 
: the period, 62 were being actively exploited.

I love vulnerability stats! When you don't qualify what a 'new 
vulnerability' entails in the context above, makes you wonder about the 
product's effectiveness given that OSVDB.org cataloged over 700 
vulnerabilities in that same time frame.

Clicking around the Fortinet page, you find the 'changelog' showing the 
vulnerabilities added:

http://www.fortiguardcenter.com/intrusionprevention/serviceUpdateHistory.html

They hand pick the highest profile vulnerabilities to write signatures 
for (to be expected), and the ones most likely to be targeted by 
attackers due to the heavier distribution and potential for profit. This 
is great for their customers, but of course it also skews the statistics 
and should be mentioned to better qualify how they reached their 
numbers. Picking 108 out of 700 vulnerabilities that are most likely to 
be exploited will certainly give you a high 'exploit detected' count.

These numbers are further skewed in either direction a number of ways 
such as:

- On 02-Jul-2009, they released "Racer.Buffer.Overflow ( high )" that 
  covers CVE-2007-4370, which was released on 2007-08-13. The odds of 
  this being exploited compared to the rest on their list is next to 
  nil.

- On 28-May-2009, they released "HTTP.URI.SQL.Injection ( high )" that 
  says "This indicates an attempt to exploit an SQL injection 
  vulnerability through HTTP requests." This may be inclusive to 
  hundreds of SQLi vulnerabilities that are exploited and map to 
  hundreds of CVE entries.

: This is equivalent to a 57.4 percent exploit rate, a rise over previous

And breaking down percentages to a decimal point with the lack of 
abstraction and detail means what? Fluff, not statistics.

My kingdom for meaningful statistics or a journalist who will dig a 
little deeper.

- security curmudgeon


_______________________________________________      
Attend Black Hat USA, July 25-30 in Las Vegas, 
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Thu Jul 09 2009 - 06:06:49 PDT

This archive was generated by hypermail 2.2.0 : Thu Jul 09 2009 - 06:24:23 PDT