Jeff Jones, a strategy director in the Microsoft Security Technology Unit ("the team trying to make all Microsoft products more secure," according to Jones), wrote a blog entry recently about data he tracks on vulnerability disclosures.
Already, through September, there have been more disclosures in 2006 than in all of 2005. The increases have been steady and huge since about 2003. There was actually a sharp decline from 2002 to 2003—Jones doesnt get into this figure, but Im curious what caused it.
Back to now, I agree with one of Jones conclusions: that the trends are indicative more of improvements in vulnerability research and testing rather than that products are somehow more vulnerable than they were in the past. Subject todays tools to Mac OS 9 and Windows NT 4, and those OSes would come out looking truly awful (which they were, even though they were good products by the standards of the day).
The emergence of fuzzing tools and a for-profit white hat vulnerability research business has created an explosion in the number of vulnerabilities discovered and revealed. The other major source of growth in vulnerability research is the number found in applications.
Consider the huge patch release by Oracle just this week, addressing more than 100 vulnerabilities in a variety of products. See Figure 6 in Jones blog: Application vulnerabilities, in raw numbers, dwarf OS flaws.
In fact, these application flaws can be some of the scariest. A number of very serious PHP flaws several months ago resulted in high-level server compromises. Users are perhaps not as attuned to updates in applications or as likely to take them seriously. If you subscribe to a high-quality research feed (Im a big fan of Symantecs DeepSight Threat Management System), you see several of these flaws fly by every day.
Microsofts move to update Office and other products through the Microsoft Update facility should, in the long term, mitigate their end of this problem. Note that the last few months have also witnessed a crime spree of Office zero-day vulnerabilities and exploits, with vague stories of them being used for targeted attacks.
Jones numbers also show that the number of noncritical vulnerabilities is growing as a percentage of the total. This too makes sense as a result of the improvements in tools. Manual vulnerability researchers arent going to spend as much time looking into low-severity issues, but a fuzzer doesnt mind working all night.
Im convinced were still in the early stages of development of tools for research and remediation of vulnerabilities, so Id expect these trends to continue, including the one that shows growth of vulnerabilities in Mac OS and Linux outpacing that of Windows.
But exploiters have their own tools. If we dont improve ours better than they do, were all in trouble.
Security Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer