From: InfoSec News (alertsinfosecnews.org)
Date: Thu Jul 09 2009 - 08:09:15 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: John E. Dunn <johnd (at) techworld.com>

To: 'security curmudgeon' <jericho (at) attrition.org>,
    'InfoSec News'
Subject: RE: [ISN] Majority of vulnerabilities now being exploited

The points your raise are valid and statistics can be highly misleading.
But delving deep into the complexity of this doesn't necessarily lead
you to the correct conclusion either.

And are you saying that the evidence does not support the conclusion or
that the conclusion is flat wrong?

That Fortinet have 'hand picked' the vulnerabilities does not invalidate
the fact that while more vulnerabilities are being uncovered, an
expanding subset of these are having exploits written for them. This
shows across all vendor stats.

The weakness of Fortinet's stats is that they are only one company's
snapshot on vulnerabilities, and therefore inferring from such data is
dubious. A more interesting stat that we cannot second-guess is how many
of these vulnerabilities lead to real compromises.

Best regards,

JD

-----Original Message-----
From: security curmudgeon [mailto:jericho (at) attrition.org]
Sent: 08 July 2009 10:07
To: InfoSec News
Cc: johnd (at) techworld.com
Subject: Re: [ISN] Majority of vulnerabilities now being exploited

: http://www.techworld.com/security/news/index.cfm?newsID=118749
:
: By John E. Dunn
: Techworld
: 07 July 2009
:
: The number of exploits being written to target specific software
: vulnerabilities could be at all-time highs, new threat figures have
: suggested.
:
: Fortinet's Threatscape report for June, which actually covers the
: period between 21 May and 20 June, reveals that of the 108 new
: vulnerabilities added to its firewall intrusion detection system in
: the period, 62 were being actively exploited.

I love vulnerability stats! When you don't qualify what a 'new
vulnerability' entails in the context above, makes you wonder about the
product's effectiveness given that OSVDB.org cataloged over 700
vulnerabilities in that same time frame.

Clicking around the Fortinet page, you find the 'changelog' showing the
vulnerabilities added:

http://www.fortiguardcenter.com/intrusionprevention/serviceUpdateHistory.html

They hand pick the highest profile vulnerabilities to write signatures
for (to be expected), and the ones most likely to be targeted by
attackers due to the heavier distribution and potential for profit. This
is great for their customers, but of course it also skews the statistics
and should be mentioned to better qualify how they reached their
numbers. Picking 108 out of 700 vulnerabilities that are most likely to
be exploited will certainly give you a high 'exploit detected' count.

These numbers are further skewed in either direction a number of ways
such as:

- On 02-Jul-2009, they released "Racer.Buffer.Overflow ( high )" that
  covers CVE-2007-4370, which was released on 2007-08-13. The odds of
  this being exploited compared to the rest on their list is next to
  nil.

- On 28-May-2009, they released "HTTP.URI.SQL.Injection ( high )" that
  says "This indicates an attempt to exploit an SQL injection
  vulnerability through HTTP requests." This may be inclusive to
  hundreds of SQLi vulnerabilities that are exploited and map to
  hundreds of CVE entries.

: This is equivalent to a 57.4 percent exploit rate, a rise over previous

And breaking down percentages to a decimal point with the lack of
abstraction and detail means what? Fluff, not statistics.

My kingdom for meaningful statistics or a journalist who will dig a
little deeper.

- security curmudgeon

_______________________________________________
Attend Black Hat USA, July 25-30 in Las Vegas,
the world's premier technical event for ICT security experts.
Network with 4,000+ delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]