RE: [ISN] Majority of vulnerabilities now being exploited

From: InfoSec News <alerts_at_private>
Date: Thu, 9 Jul 2009 08:09:15 -0500 (CDT)
Forwarded from: John E. Dunn <johnd (at) techworld.com>

To: 'security curmudgeon' <jericho (at) attrition.org>,
    'InfoSec News'
Subject: RE: [ISN] Majority of vulnerabilities now being exploited

The points your raise are valid and statistics can be highly misleading. 
But delving deep into the complexity of this doesn't necessarily lead 
you to the correct conclusion either.

And are you saying that the evidence does not support the conclusion or 
that the conclusion is flat wrong?

That Fortinet have 'hand picked' the vulnerabilities does not invalidate 
the fact that while more vulnerabilities are being uncovered, an 
expanding subset of these are having exploits written for them. This 
shows across all vendor stats.

The weakness of Fortinet's stats is that they are only one company's 
snapshot on vulnerabilities, and therefore inferring from such data is 
dubious. A more interesting stat that we cannot second-guess is how many 
of these vulnerabilities lead to real compromises.

Best regards,

JD

-----Original Message-----
From: security curmudgeon [mailto:jericho (at) attrition.org] 
Sent: 08 July 2009 10:07
To: InfoSec News
Cc: johnd (at) techworld.com
Subject: Re: [ISN] Majority of vulnerabilities now being exploited


: http://www.techworld.com/security/news/index.cfm?newsID=118749
: 
: By John E. Dunn
: Techworld
: 07 July 2009
: 
: The number of exploits being written to target specific software 
: vulnerabilities could be at all-time highs, new threat figures have 
: suggested.
: 
: Fortinet's Threatscape report for June, which actually covers the 
: period between 21 May and 20 June, reveals that of the 108 new 
: vulnerabilities added to its firewall intrusion detection system in 
: the period, 62 were being actively exploited.

I love vulnerability stats! When you don't qualify what a 'new 
vulnerability' entails in the context above, makes you wonder about the 
product's effectiveness given that OSVDB.org cataloged over 700 
vulnerabilities in that same time frame.

Clicking around the Fortinet page, you find the 'changelog' showing the 
vulnerabilities added:

http://www.fortiguardcenter.com/intrusionprevention/serviceUpdateHistory.html

They hand pick the highest profile vulnerabilities to write signatures 
for (to be expected), and the ones most likely to be targeted by 
attackers due to the heavier distribution and potential for profit. This 
is great for their customers, but of course it also skews the statistics 
and should be mentioned to better qualify how they reached their 
numbers. Picking 108 out of 700 vulnerabilities that are most likely to 
be exploited will certainly give you a high 'exploit detected' count.

These numbers are further skewed in either direction a number of ways 
such as:

- On 02-Jul-2009, they released "Racer.Buffer.Overflow ( high )" that 
  covers CVE-2007-4370, which was released on 2007-08-13. The odds of 
  this being exploited compared to the rest on their list is next to 
  nil.

- On 28-May-2009, they released "HTTP.URI.SQL.Injection ( high )" that 
  says "This indicates an attempt to exploit an SQL injection 
  vulnerability through HTTP requests." This may be inclusive to 
  hundreds of SQLi vulnerabilities that are exploited and map to 
  hundreds of CVE entries.

: This is equivalent to a 57.4 percent exploit rate, a rise over previous

And breaking down percentages to a decimal point with the lack of 
abstraction and detail means what? Fluff, not statistics.

My kingdom for meaningful statistics or a journalist who will dig a 
little deeper.

- security curmudgeon


_______________________________________________      
Attend Black Hat USA, July 25-30 in Las Vegas, 
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.  
Visit product displays by 30 top sponsors in 
a relaxed setting. http://www.blackhat.com
Received on Thu Jul 09 2009 - 06:09:15 PDT

This archive was generated by hypermail 2.2.0 : Thu Jul 09 2009 - 06:28:55 PDT