From: InfoSec News (alertsinfosecnews.org)
Date: Thu Jul 09 2009 - 08:06:49 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: security curmudgeon <jericho (at) attrition.org>

To: InfoSec News
Cc: johnd (at) techworld.com
Subject: Re: [ISN] Majority of vulnerabilities now being exploited

: http://www.techworld.com/security/news/index.cfm?newsID=118749
:
: By John E. Dunn
: Techworld
: 07 July 2009
:
: The number of exploits being written to target specific software
: vulnerabilities could be at all-time highs, new threat figures have
: suggested.
:
: Fortinet's Threatscape report for June, which actually covers the
: period between 21 May and 20 June, reveals that of the 108 new
: vulnerabilities added to its firewall intrusion detection system in
: the period, 62 were being actively exploited.

I love vulnerability stats! When you don't qualify what a 'new
vulnerability' entails in the context above, makes you wonder about the
product's effectiveness given that OSVDB.org cataloged over 700
vulnerabilities in that same time frame.

Clicking around the Fortinet page, you find the 'changelog' showing the
vulnerabilities added:

http://www.fortiguardcenter.com/intrusionprevention/serviceUpdateHistory.html

They hand pick the highest profile vulnerabilities to write signatures
for (to be expected), and the ones most likely to be targeted by
attackers due to the heavier distribution and potential for profit. This
is great for their customers, but of course it also skews the statistics
and should be mentioned to better qualify how they reached their
numbers. Picking 108 out of 700 vulnerabilities that are most likely to
be exploited will certainly give you a high 'exploit detected' count.

These numbers are further skewed in either direction a number of ways
such as:

- On 02-Jul-2009, they released "Racer.Buffer.Overflow ( high )" that
  covers CVE-2007-4370, which was released on 2007-08-13. The odds of
  this being exploited compared to the rest on their list is next to
  nil.

- On 28-May-2009, they released "HTTP.URI.SQL.Injection ( high )" that
  says "This indicates an attempt to exploit an SQL injection
  vulnerability through HTTP requests." This may be inclusive to
  hundreds of SQLi vulnerabilities that are exploited and map to
  hundreds of CVE entries.

: This is equivalent to a 57.4 percent exploit rate, a rise over previous

And breaking down percentages to a decimal point with the lack of
abstraction and detail means what? Fluff, not statistics.

My kingdom for meaningful statistics or a journalist who will dig a
little deeper.

- security curmudgeon

_______________________________________________
Attend Black Hat USA, July 25-30 in Las Vegas,
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]