From: InfoSec News (alertsinfosecnews.org)
Date: Wed Sep 19 2007 - 01:05:45 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: security curmudgeon <jericho (at) attrition.org>

: http://www.eweek.com/article2/0,1895,2184206,00.asp
: By Lisa Vaas
: September 17, 2007
:
: New IBM research shows that five vendors are responsible for 12.6
: percent of all disclosed vulnerabilities.

: IBM Internet Security Systems' X-Force R&D team released its 2007
: report on cyber attacks on Sept. 17, revealing that the top five
: vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities
: in the first half of the yearor 411 of 3,272 vulnerabilities disclosed.
:
: Here's the order in which the top 10 vendors stacked up, by percentage
: of vulnerabilities publicly disclosed in the first half of the year:
:
: Microsoft, 4.2 percent
: Apple, 3 percent
: Oracle, 2 percent

[..]

: The vast majority 90 percent of the 3,273 vulnerabilities reported in
: the first half of the year can be exploited remotely. And more than
: half 51.6 percent of the vulnerabilities found would give an attacker
: access to the host after exploitation.
:
: In other findings, one surprise was that for the first time ever,
: there's been an actual decrease in the number of vulnerabilities
: reported. The total of 3,273 vulnerabilities found represents a 3.3
: percent decrease over the first half of 2006.
:
: X-Force Director Kris Lamb told eWEEK that there are a few things at
: play that likely have contributed to the decrease. One factor is that
: nowadays researchers have at their disposal much more polished
: bug-finding techniques. One such technique is fuzzing: the use of
: automatic tools to find vulnerabilities.

One other factor, that Lisa Vaas apparently didn't ask about, is how ISS
X-Force catalogs vulnerabilities, and if their method and standards
could impact these numbers at all. Take for example, two X-Force
vulnerability database entries:

Oracle Critical Patch Update - July 2007
http://xforce.iss.net/xforce/xfdb/35490
18 CVE, 30+ Oracle

Oracle Critical Patch Update - January 2007
http://xforce.iss.net/xforce/xfdb/31541
30 CVE, 50+ Oracle

So when comparing numbers, you have 2 X-Force entries that equate to 48
CVE entries that equate to *more than 80* unique and distinct
vulnerabilities according to Oracle.

I'm not a math or stat guy, but I have a feeling that this could
seriously skew the statistics above, especially when you consider that
Microsoft and Apple both have a more distinct breakdown and separation
in the X-Force database.

Anyone from IBM/ISS care to clarify? Lisa, did you have more extensive
notes on this aspect that didn't make it in the article perhaps?

security curmudgeon

__________________________________________________________________
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques. Register now for savings on conference fees
and/or free exhibits admission. - www.csiannual.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]