Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Report: MS, Apple, Oracle Are Top Vulnerable Vendors



 By: Lisa Vaas
2007-09-17
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
New IBM research shows that five vendors are responsible for 12.6 percent of all disclosed vulnerabilities.

Not surprising: In the first half of 2007, Microsoft was the top vendor when it came to publicly disclosed vulnerabilities. Likely surprising to some: Apple got second place.

IBM Internet Security Systems X-Force R&D team released its 2007 report on cyber attacks on Sept. 17, revealing that the top five vulnerable vendors accounted for 12.6 of all disclosed vulnerabilities in the first half of the year—or 411 of 3,272 vulnerabilities disclosed.

Heres the order in which the top 10 vendors stacked up, by percentage of vulnerabilities publicly disclosed in the first half of the year:

Microsoft, 4.2 percent
Apple, 3 percent
Oracle, 2 percent
Cisco Systems, 1.9 percent
Sun Microsystems, 1.5 percent
IBM, 1.3 percent
Mozilla, 1.3 percent
XOOPS, 1.2 percent
BEA, 1.1 percent
Linux kernel, 0.9 percent

The report also says that 21 percent of vulnerabilities disclosed by the top 5 vendors remain unpatched—up from a year ago, when only 14 percent of the top vendors vulnerabilities stayed open in the same timeframe.

Resource Library:
While that might seem alarming, its notable that 60 percent of vulnerabilities from all other vendors found in the first half of the year remained unaddressed.

To read about the breach of the U.S. Consulate Web site in Russia, click here.

The vast majority—90 percent—of the 3,273 vulnerabilities reported in the first half of the year can be exploited remotely. And more than half—51.6 percent—of the vulnerabilities found would give an attacker access to the host after exploitation.

In other findings, one surprise was that for the first time ever, theres been an actual decrease in the number of vulnerabilities reported. The total of 3,273 vulnerabilities found represents a 3.3 percent decrease over the first half of 2006.

X-Force Director Kris Lamb told eWEEK that there are a few things at play that likely have contributed to the decrease. One factor is that nowadays researchers have at their disposal much more polished bug-finding techniques. One such technique is fuzzing: the use of automatic tools to find vulnerabilities.

As such tools become more mainstream, Lamb said, we are likely hitting the saturation point as far as finding the low-hanging fruit goes.

"[The functionality of] tools are still being expanded, but they were used in early years to find easier-to-find, medium- and high-[risk] vulnerabilities," he said. "It doesnt mean there arent more bugs to be found, but the bugs out there are harder to find, and they take a more specialized skill set to find."

The decrease in reported vulnerabilities could also be a reflection of the trend to monetize exploits in the underground marketplace—and in the above-ground marketplace as well. The disclosure of bugs could be taking longer since theyre being sold or traded, he suggested, on sites such as Wabisabilabi, an eBay-like bug market launched in July.

"Theres the potential for vulnerabilities to not see the light of day either as quickly as they used to or [at all], as a result," Lamb said.

Where spam and phishing is concerned, X-Force found that the top spam spewers worldwide are the United States, Poland and Russia. Analysis of IBM ISS content filtering services and the millions of e-mail addresses it actively monitors shows that the United States accounts for originating one-eighth of all worldwide spam. Heres how the rest of the world breaks down, spam sender-wise:

United States, 13.2 percent
Poland, 7.1 percent
Russia, 5.9 percent
Germany, 5.9 percent
South Korea, 5.7 percent
China, 5.4 percent
Brazil, 4.5 percent
Italy, 4.0 percent
France, 3.8 percent
Turkey, 3.0 percent

But the map of where spam URLs are hosted looks very different. The United States is still tops in this category—its home to 34.7 percent of the points from which spam URLs are hosted—but the rest of the world breaks down differently, with China moving to its usual position at or near the top of such maps:

United States, 34.7 percent
China, 12.7 percent
South Korea, 5.9 percent
France, 5.3 percent
Hong Kong, 3.6 percent
Canada, 2.9 percent
United Kingdom, 2.6 percent
Russia, 2.6 percent
Hungary, 2.2 percent
Netherlands, 2 percent

The X-Force is also seeing a first-time dip in byte size for spam. This is a trend that reflects the decrease in image-based spam, as senders hop around in an effort to avoid content filters by instead sending spam messages embedded in PDFs, Excel or other file formats, Lamb said.

"Thats very effective, initially, at bypassing a lot of traditional filtering technology," Lamb said.

Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.



  Reader Comments: Report: MS, Apple, Oracle Are Top Vulnerable Vendors
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}is㶲*Qމg5ER%ub[>fI*EBc!)/;~7-efrLb[" F;vv IM˙sל۔\sPç v$5wv]2i* d&@ jہ)}mk4 uB;;#|6S%߽w *s=NN5KԚLÆ|g&$Ʈl dkdp,cw5h{=D@~5[6m(GLŻ?KE!wO׶Cշ8>vP ?UaÙO,}!*{|@J%h1Qu ͟Qadw^x/4;U'i?7Sա*v25vk>6^:6 FȅC׷z$aRv'nwoR 25I2Z@[,HGmfCc`pmׇɩV Tq3c}fݷt{#Էƀ:SSC3MuN_CԿ(ҀK8Q+׌<mLy%Ku}7p@W-}rlNVڒ1Wb{H .Cu&͓Nk&E;~}T364>H ,H!eݴ%g榣V'cTf~X}U9=zQnũl :2X bXP7XaQlA`:g!>QӚ#qRO#Gs>2胎6mb8-" ,70}Hw@zqI $ qx٭mE%H_¤<  FA=H:}m`~5$'@ -s'09wښA"Qފ]ӑ4a vhiqppyY?90»{`ޚꖭ,L<ħܠ{ԁ!~9.Wb&A/t[t}JIIL"D%  h4AGEBENlbo(HXVpD*M'8܉;T+JDV{TKh+K@f:32YIFMf X*ȉ#o"09X ,gZ Xk%Ƽ fj~iڛ-Â%ܺym,@EPC;*6O|sy?&4ğ;nX$}׾  +ZsξS :ˋj|X#<~Kש6n,S˘ \ >eB#`9{M?g[,:rǸ!W.qМwaM_ȣ~|XÈIϤuO'ܑm˹JoBo*څP_.dI_fMblȜu>I!VB17OD)wz@aeXd|re{Rj=""ǰP7oZp(^HIcНj!D)z٧l.?ΖuV"kͲG{_No6ʞy4 mVJ{g@y# lK/,:+c:*K_jiHH*E6@\Z1-c %>!1Ad/a:(OpSo{:!{jA_ܰ탡K*+ G&,mk VhVKtXf&`ܰ &P S~8[0P!k^G'Vv<]|<'}=r=Cۮ!C}'<\VaQSF=4FX\eHЮ#Sq_TҘWF(/9 Ε NjZ`Z>5;Nᗬۉ{10v?\3j y58.(p,4J3%NJt$ ҹD\W4Uud XX `jDa#CP`wV8%+ #mQJkm vV; jSR+f::JnM=G$ X  d44} *zIe/yboY LjB:GdDC+`v*w 6Jh)YS!bW hĞee[ExkC鳰|lsHNP MGF)\,[5^-0;3kZvN'_&ƦF}VD ϓGjZ%5?,09E>|6ŒuKl?`gW`p1\FAPB7lܓۿZuLzRB71PUL xg4sgDcC6VNL&Wm"Z;"ҚVS,K8?IUP3)㦧RQu@VI^Aұg /@C׳@.l̼QXCGRUeH4yH3k 9 =EZЋvc*&jĮOm8o,yJu8e3 S`e3*~g~hKJ]ad|?T\Q=@V:M|ݤ1p Nu4w H/ʧRDuQT[ UrTS+JJgaC.zFpiEBSkɒ8kps!p B0_ \PF.^%l`۴\ASV<^ےCtK37A(6Eǔ[ā0W?,i&i?r/퉚&RA33TlȪVW%uZ]J֟'sfL؞E(GOBeṚo{{kC4÷,;(|ݙCadJH5 ]Uj; 1s4a!`0\߫=bHP?n ]^*~ t9CT`|"@`'d8'l{H 'n+T.n߃B&GWF@"'!M43,`jRU\KFssb~f.^+oS@/I6 \"YUihja{i62A$KOzu=tg|LP{~;Atf =$A`W/5.PЇߤEX-u[;lb4 L@IP 4t=$!&}Ǵ{5ee^;lѳ `y Bz+Gw.w/ėl{g+~u/:R ARdF!u}qU8*DYup|ly\3amF '%L_=80<4+H[3 BXzW' ^t}Xq q6alϝ/ٿ+[Z\f·?B!bNg<؇APC{ z P)'$ n)>cz$VBL0B_XH!)$ze*KCz?$YZgÍ7"lS+2L:1D&rޚSE[B {BAJ;TLA:߄q?IkvYغ[̘pA32%Ibϔ 5m$Mj3fkC@$Ÿ_:JIv(+Hl(dAjSӚmf /.鞿ߺm|<:RpLC2à{: e!>RဏQFh 鳁Vˮu^c'`|x=Na.CLU9 EuX.9Uk۾+ttO$Z؍ڑq eީӊN|mu+ɅNo=!WC1kyR̵j dŽ%Ɣ{@95~@ל)|si9S<3m~`'6"(\q")Xf>VAkv,x\J}[<,'Mw[1{7 A犴.> NA W$ V FP ߼=oqw>P]9Yz$AC~kM}\0n7~{vv6bO07+۝l9niamơ85J~l'Mt6DjEWc{w#9Ȫ̙S.R؉~'g#3^q:-: &꜃%3ތ<яKi^dΠtb]F_TE͐@˶3HWS50bJ[ֹl“0f&x9`N];0-*Yk]ÝS+8),1Zq]+iٟO&4@X8n˲H ,ϘR"1%tڡA$WNJb: <~I u]]%\51C , #! &1-spei}~ !GV%أwgZLcsvbIŐad҉JwܛRSۍZY𤟩I+v!oWH]JCymbUXPo\72ާg\ J]e.Zj"3 ?Wfdq89YxWvG%r1c'wh߇ ns&IzReeV…L3URsLfM8>V[4-^OggS!%`@ƈCX~FםV[-̓7bo9 CՌd (.dD%gviIl0Z){=>86ՃtA$~]h@Ҵj^8OԱضr`.`pXD§P;a2 "sC,hJ.| $Dtj,_6*x%UrўN.ɞyAɑ6qnY&rK DvtiQ,u;Rm^+ Dďxq҉ Q$!xfU'->W"WFWgc\O WeSr-8f:t`)h׮?LݲG{CR\*J`ޠd  KF_}~b4t4Ȱ)_ {,LK a~ULk[M~*ZC}dA2e 'VEzOI@kMiz~ұ;Mi0eX:,d}$U*pr:aI=;&tuK)6sޞ4Y}qKWsP[?e޺(VR8R,#`2|kFsH!J[! P5uK/܋bж$mE7%3іG@u"T%M]G@,kgž,NDGM߼߼߼߼ͯm.Q=ۜp:dޟtdH=3Fl'&8~,+"D"Hd*ڵOLh\!gl= |s76g(eePtPhV6G¬x9kրG7cêk/hcGߚ`V H;N<ލԜW#WFc\oH/x!NJCR%)U x&eIuk=[$W@ 'Y4O8|`%OR$~. BHk i4812MxD 3 g7/?bRj )؂@>> _vz$#[Q˃i+p/?nn^w37~sg~sg~sg~sg~ywfTUܙE'uu' n+1-  0T! Za "`;ltMkrqV$Ba= O-]RҥI?'\}JA"j!r})BEVcon׬ ؆8sAAxw  p EM,V"y R}<6&^ߛ0$][є.OXœ_A(r@ A0"tBu׋y!Dv-_x}?cgK?n٨X+c~n3m3<$$0藒P'b_.xv\Ee r.tp`dc}]1sH/a5*9=ti'&Ⴣ%=PNxtowwv]g3psZG|-W/Em/T_ݷ$8K̫)꿓$}mv`'0gmX,hMÙ@t}œ3Q Il"d8 P;f Crpя"xcO{ eTZWIY4+s/ %ZYtĕ' 2y(^Bx8j 5 g{{[$0#nv;"2(W#=t͆!xyl?] $.z~Uv G2C"(lohF]ChXxCu~rmbwI}\DqvWzBYmӶ"5w1i}P2DO#%1Oe(#$Gs4V5Śx KE!A¢j==#Ÿ R"RV(> l?QX2{n/˛i~p\KCrLFm.93͒EˉntMSs95U)j~Ar)XZR,w%[dox7Bք0XtL'f|Q*TH5i1pC?b\y z'hshC~<Vz^3ZkTX;XifղyJ)~,y-JYթB\lݹY呏!5ڢ#2t@!d4^qհp-| Y?*ªFw\if0zVZIj[?0|]SjZ <¼X5:rsk;-t /}\pY$֞SK a<#RF̯q}%|#'#lDY٪B.jjǛh-xlkSt1nB!E TЍB9Ϫ͒;IoP}sY?e=a '2u?|{~BJ{=Lm~C#hM-ã|U:l|%w;ҹn,WMCh%K 7ѭd rH8a|LѹH|dUk{VyKb?{ro h:MQx\Ju Ra|${34m#p3'Fΐ!,E|Etz['U}>l1Fhb##ʚB0\'u C{F.:`й꣇U #v2^ycc1z!A?C6ywNq?CRO⺢taT;#xtT$ln2.hU?#.7,Mx:L$!i?/W}e_)aODu"Ft883*%EcH <"m~g~q79t)45A!<\AAcs} xlGUpbZ1Ř!briĔy9xOB_<%ccZ|G,{{GǙ;fSZ,gl%RdtQ:..( o$H)YPXP؟Se OHB}s y. dFé 7EPf00aLn30lMqW'Ag#j~ b\]:ovN5j' H=P<`A~,^!usx\fJԎV$%Ѕ8h,-@"!9͉Kk' 7ֆúޛZF #~aP8\  +z+uT'I]WP)q!xW`ǪZIW>w'0x5nV/D*z+YT( I+1;}^o)?GL€،P r,4[gIUCWAwA:gkZNAw|vuQc̑:jS#Z4/j0}P܄qP b;g]t Ȥou[g@g9@/9Ao9WP~)Ay/)} 8hwrʏx} $?sX_~-4O˻B)usEN9_/OPi}?ˁ!9<瀟񺓜r<<ϡOы_|9P~S(GN9^E\]_O/G@r%e}\9_\OoC_>G(W39rsڿΡ=>k]T(RhK "S^9,.Nre)cA\̥-c@#mq8AG.v)n7pK|` {Zӛk ';Z8 |3/߆rIٝzÀ}vk O WYR-KcaP]?|Lhj'܌3X;Oi7\]ΆЙ%†>ga#f^*B8DCw_a%ɡ1zI=E ;wEm=SOWnޣ97pL\wn )xT-kZYoZԪw俓+v5h=""C.7ɪ"+uw9 8]V*r `"! *s>P`24UF` Ԋz!J1 4`֭tK_c(wp E Ч w̆Ȥ˘V͛YȌ)æʗᄽNگ$` f@2b'`{z98Û{y0`)fmf..eа!,%sv[F8 c|Me3F<>`$X)43ǬȽGӟF}q!rE: Tope/Lww-HZ}vܸxZ 3Ir]32Y /§On3 &`T$0>t ޺Ccjd1ck +#͙P<bՍP? T@| %{\6LDRw}B0yNmv89DEPމ!/[v2g S*4%SЌxc*xEy?ĵ# MPt[:SAW Cr 3қKt͹_U`7'#~*3VœA>h4M@(_ْk0F?s^n0")1<&׳c?d|E#bSp!@xM5f2R8WĻ Q)۱YJAł<Vgf;[CNa p#Q#*]^x9@mҕh_ɬnQ7V0] c/1+8~m=bu{-Urcd+xf:PEXl+ѠW5`/9H_(|9N]RjãÍGHǸ [ Iy>p <Щ1T\bգJʶE9b릍 ѨipKTؖEndS^moymOEmY>mЍ5O1ngNbk*χŀ𞭞{̾1^f#9uVOedg)dr̅2 !ɴyyU~ҥN.I,g`aQd+$*)ؐW ku ;acXJXF!Ƨ ?'TS*4.>ϭn<\e9)_0$a1+>c-hw͹!wS׆)0ѕD1F(g,1f wAx& =`#hxj"nh1 d'k%I >d31#7Dj0BrH d[H_مt&v3k)/YH~1  <99.@$NSP_X1]< :L+s+ Sq||:,]S,w1NZݳO<|;Xit0y']f*FRqOR|?(>od /=j-Emӻjw T>Vnw/ާ+e=;`ons gs7*Ѡ,jU z' l5mEgl(3W'J^R۝wz"f/F)SذM*i29J{) qŭ˕bmTɩY;~XX96v6̈́M.b&;f1Բ]G*+