Forwarded from: John E. Dunn <johnd (at) techworld.com> To: 'security curmudgeon' <jericho (at) attrition.org>, 'InfoSec News' Subject: RE: [ISN] Majority of vulnerabilities now being exploited The points your raise are valid and statistics can be highly misleading. But delving deep into the complexity of this doesn't necessarily lead you to the correct conclusion either. And are you saying that the evidence does not support the conclusion or that the conclusion is flat wrong? That Fortinet have 'hand picked' the vulnerabilities does not invalidate the fact that while more vulnerabilities are being uncovered, an expanding subset of these are having exploits written for them. This shows across all vendor stats. The weakness of Fortinet's stats is that they are only one company's snapshot on vulnerabilities, and therefore inferring from such data is dubious. A more interesting stat that we cannot second-guess is how many of these vulnerabilities lead to real compromises. Best regards, JD -----Original Message----- From: security curmudgeon [mailto:jericho (at) attrition.org] Sent: 08 July 2009 10:07 To: InfoSec News Cc: johnd (at) techworld.com Subject: Re: [ISN] Majority of vulnerabilities now being exploited : http://www.techworld.com/security/news/index.cfm?newsID=118749 : : By John E. Dunn : Techworld : 07 July 2009 : : The number of exploits being written to target specific software : vulnerabilities could be at all-time highs, new threat figures have : suggested. : : Fortinet's Threatscape report for June, which actually covers the : period between 21 May and 20 June, reveals that of the 108 new : vulnerabilities added to its firewall intrusion detection system in : the period, 62 were being actively exploited. I love vulnerability stats! When you don't qualify what a 'new vulnerability' entails in the context above, makes you wonder about the product's effectiveness given that OSVDB.org cataloged over 700 vulnerabilities in that same time frame. Clicking around the Fortinet page, you find the 'changelog' showing the vulnerabilities added: http://www.fortiguardcenter.com/intrusionprevention/serviceUpdateHistory.html They hand pick the highest profile vulnerabilities to write signatures for (to be expected), and the ones most likely to be targeted by attackers due to the heavier distribution and potential for profit. This is great for their customers, but of course it also skews the statistics and should be mentioned to better qualify how they reached their numbers. Picking 108 out of 700 vulnerabilities that are most likely to be exploited will certainly give you a high 'exploit detected' count. These numbers are further skewed in either direction a number of ways such as: - On 02-Jul-2009, they released "Racer.Buffer.Overflow ( high )" that covers CVE-2007-4370, which was released on 2007-08-13. The odds of this being exploited compared to the rest on their list is next to nil. - On 28-May-2009, they released "HTTP.URI.SQL.Injection ( high )" that says "This indicates an attempt to exploit an SQL injection vulnerability through HTTP requests." This may be inclusive to hundreds of SQLi vulnerabilities that are exploited and map to hundreds of CVE entries. : This is equivalent to a 57.4 percent exploit rate, a rise over previous And breaking down percentages to a decimal point with the lack of abstraction and detail means what? Fluff, not statistics. My kingdom for meaningful statistics or a journalist who will dig a little deeper. - security curmudgeon _______________________________________________ Attend Black Hat USA, July 25-30 in Las Vegas, the world's premier technical event for ICT security experts. Network with 4,000+ delegates from 50 nations. Visit product displays by 30 top sponsors in a relaxed setting. http://www.blackhat.comReceived on Thu Jul 09 2009 - 06:09:15 PDT
This archive was generated by hypermail 2.2.0 : Thu Jul 09 2009 - 06:28:55 PDT