Stephen Withers
Monday, 11 August 2008 08:44
Your IT -
Home IT
Page 2 of 3
The (relatively) good news is that the total number of vulnerabilities disclosed in the first half of the year was 3534 - up by 5 percent on the same period in 2007 (which slowed a slight decline), but at least the figures aren't climbing by around 50 percent as they were from 2004 to 2005, and from 2005 to 2006.
Unfortunately, the proportion of high and medium severity vulnerabilities has also grown. Low security vulnerabilities account for only 17.7 percent of the total, compared with 24.2 percent during 2007.
So who's finding these vulnerabilities? Looking over the last three half-years, X-Force concluded that approximately 16 percent were disclosed anonymously, and of the remainder, 70 percent came from independent researchers. The other 30 percent of non-anonymous reports came from research organisations, whether corporate or non-corporate.
However, research organisations were responsible for nearly 80 percent of critical vulnerabilities.
Worryingly, but not surprisingly, exploits were almost twice as likely to occur on the day of disclosure when the discovery was made by an independent researcher.
Why "not surprisingly"? As the X-Force report notes, commercial research organisations generally do not provide proofs of concept. Another factor could be that individual researchers who do not have established reputations may feel the need to provide proofs of concept so that their claims are taken seriously.
And here's something that should provide some peace of mind: over 80 percent of the vulnerabilities discovered by security researchers aren't exploited.
So what are attackers targeting? Find out on
page three.
LATEST HEADLINES FROM YOUR IT
