Vulnerabilities: are things getting better?

Stephen Withers
Monday, 18 February 2008 08:36

Your IT - Home IT

The number of security vulnerabilities disclosed during 2007 dropped by over 5 percent from the previous year.

According to IBM X-Force's annual trend report [PDF], there was a 5.4 percent reduction in new vulnerability disclosures during 2007 compared with 2006. 6437 vulnerabilities were reported during 2007.

Researchers are uncertain whether this is a statistical correction (both 2005 and 2006 saw growth well in excess of the trend), a chance event, or the beginning of a new trend. Whatever the reason, this is the first reduction since X-Force began collecting the data in 2000.

But apart from that headline figure, there's not much good news to be found in the report.

High impact vulnerabilities were up 28 percent compared with 2006. A high impact vulnerability is one that allows "immediate remote or local access or immediate execution of code or commands with unauthorised privileges."

When you look at the absolute number of high impact vulnerabilities, the overall trend seems to be upward apart from modest reductions in 2003 and 2006.

Another worry is that the proportion of vulnerabilities that can be remotely exploited has grown every year since 2000, with the sole exception of 2004. So not only are there more vulnerabilities, more of them have a high impact, and more of them can be exploited by people that don't have physical access to your systems. On top of that, almost all web-based exploits now use obfuscation or encryption to make it harder for intrusion detection and prevention systems to spot them.

CONTINUED