Its Vulnerability Storm Season

By Larry Seltzer  |  Posted 2006-10-19 Print this article Print

Opinion: The number of vulnerabilities disclosed is already overwhelming, and all indications are that it will keep growing.

Does it seem to you as if there are more and more vulnerabilities being disclosed lately? Youre right, there are. Jeff Jones, a strategy director in the Microsoft Security Technology Unit ("the team trying to make all Microsoft products more secure," according to Jones), wrote a blog entry recently about data he tracks on vulnerability disclosures.

This is data about a lot more than Microsoft products. The two sources he uses, Mitre and NIST, are independent and collect vulnerability information on a wide variety of products.

Already, through September, there have been more disclosures in 2006 than in all of 2005. The increases have been steady and huge since about 2003. There was actually a sharp decline from 2002 to 2003—Jones doesnt get into this figure, but Im curious what caused it.

eWEEK thinks that ZERT, the Zeroday Emergency Response Team, is doing a job that needs to be done. Click here to read more. Back to now, I agree with one of Jones conclusions: that the trends are indicative more of improvements in vulnerability research and testing rather than that products are somehow more vulnerable than they were in the past. Subject todays tools to Mac OS 9 and Windows NT 4, and those OSes would come out looking truly awful (which they were, even though they were good products by the standards of the day).

The emergence of fuzzing tools and a for-profit white hat vulnerability research business has created an explosion in the number of vulnerabilities discovered and revealed. The other major source of growth in vulnerability research is the number found in applications.

Consider the huge patch release by Oracle just this week, addressing more than 100 vulnerabilities in a variety of products. See Figure 6 in Jones blog: Application vulnerabilities, in raw numbers, dwarf OS flaws.

In fact, these application flaws can be some of the scariest. A number of very serious PHP flaws several months ago resulted in high-level server compromises. Users are perhaps not as attuned to updates in applications or as likely to take them seriously. If you subscribe to a high-quality research feed (Im a big fan of Symantecs DeepSight Threat Management System), you see several of these flaws fly by every day.

Microsofts move to update Office and other products through the Microsoft Update facility should, in the long term, mitigate their end of this problem. Note that the last few months have also witnessed a crime spree of Office zero-day vulnerabilities and exploits, with vague stories of them being used for targeted attacks.

Jones numbers also show that the number of noncritical vulnerabilities is growing as a percentage of the total. This too makes sense as a result of the improvements in tools. Manual vulnerability researchers arent going to spend as much time looking into low-severity issues, but a fuzzer doesnt mind working all night.

Im convinced were still in the early stages of development of tools for research and remediation of vulnerabilities, so Id expect these trends to continue, including the one that shows growth of vulnerabilities in Mac OS and Linux outpacing that of Windows.

But exploiters have their own tools. If we dont improve ours better than they do, were all in trouble.

Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983. Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog. More from Larry Seltzer
Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel