IBM has revised some of the findings in its “X-Force 2010 Mid-year Trend and Risk Report” after complaints that its vulnerability tallies were inaccurate.
“After we released our trend report…we received feedback from two software vendors regarding the severity and remedy information for some of the vulnerabilities behind this chart,” Tom Cross, manager of IBM’s X-Force Advanced Research Team, blogged Aug. 28. “This sort of input is crucial for us – with more input from software vendors about vulnerability information we get greater accuracy in our snapshot of the industry. As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart.”
The latest information drastically altered the rankings of Google and Sun Microsystems (which is listed separately in the report from Oracle), to the tune of Sun dropping from the vendor with the most unpatched vulnerabilities to the middle of the pack. Google, which was initially reported to have left 33 percent of its critical vulnerabilities unfixed, was found to have patched all of its critical vulnerabilities.
“We learned after investigating that the 33 percent figure referred to a single unpatched vulnerability out of a total of three — and importantly, the one item that was considered unpatched was only mistakenly considered a security vulnerability due to a terminology mix-up,” blogged Adam Mein of Google’s security team. “As a result, the true unpatched rate for these high-risk bugs is 0 out of 2, or 0 percent.”
The initial vulnerability tallies also listed Sun as having 24 percent of its vulnerabilities unpatched – this was changed to eight percent. Other changes include Mozilla going from 21 percent to 17; Apple from 13 to 12; Linux from eight to three; IBM from 10 to 9 and Hewlett-Packard (HP) from seven percent to four.
The list also was revised to show IBM actually leading the way in terms of the number of unpatched critical bugs, with 29 percent.
“Every vulnerability page in the database has always included our e-mail address for corrections and additions, and we work constantly to develop and maintain relationships with other software companies to coordinate vulnerability information,” Cross blogged. “Efforts are currently underway within the software industry to develop standards for reporting of vulnerability and remedy information. We believe that those standardization efforts hold the key to making sure that consumers always have the latest information from software vendors about vulnerability disclosures affecting their products.”