Monday, 11 August 2008 07:44

Apple tops vulnerability list, but Microsoft still ahead on exploits

Apple may have disclosed more vulnerabilities than any other vendor during the first half of 2008, but Microsoft and HP are still 'beating' the Cupertino kids when it comes to the number of public exploits. These are among the findings in a report published by IBM's X-Force security R&D team.

Overall, ten vendors were responsible for 81 percent of vulnerability disclosures. They were Apple, Joomla!, Microsoft, IBM, Sun, Oracle, Cisco, Drupal, WordPress and Linux.

It is interesting to note the presence of three open source content management systems in the list. Some advocates claim that open source is inherently more secure than closed source, because of the larger number of eyes that can examine it. The downside is that it's akin to doing your dirty laundry in public.

But that openness doesn't appear to impact on exploits, because when vendors were ranked in terms of the number of public exploits, three vendors were head and shoulders above the rest: Microsoft, HP and Apple.

'Public exploit' is defined as "Any proof-of-concept demonstrative code, partially or fully functional, or malicious mobile agent, such as malware, that is publicly available."

"The public availability of proof-of-concept code increases the likelihood that the vulnerability will face live exploitation either through targeted attempts or through a mass distribution method, like in an exploit toolkit," says the X-Force report. "Common outlets for these public exploits are exploit testing tools like Metasploit and Canvas."

Is there some good news in the report? You'll find some on page two, but there's also more bad news too!

The (relatively) good news is that the total number of vulnerabilities disclosed in the first half of the year was 3534 - up by 5 percent on the same period in 2007 (which slowed a slight decline), but at least the figures aren't climbing by around 50 percent as they were from 2004 to 2005, and from 2005 to 2006.

Unfortunately, the proportion of high and medium severity vulnerabilities has also grown. Low security vulnerabilities account for only 17.7 percent of the total, compared with 24.2 percent during 2007.

So who's finding these vulnerabilities? Looking over the last three half-years, X-Force concluded that approximately 16 percent were disclosed anonymously, and of the remainder, 70 percent came from independent researchers. The other 30 percent of non-anonymous reports came from research organisations, whether corporate or non-corporate.

However, research organisations were responsible for nearly 80 percent of critical vulnerabilities.

Worryingly, but not surprisingly, exploits were almost twice as likely to occur on the day of disclosure when the discovery was made by an independent researcher.

Why "not surprisingly"? As the X-Force report notes, commercial research organisations generally do not provide proofs of concept. Another factor could be that individual researchers who do not have established reputations may feel the need to provide proofs of concept so that their claims are taken seriously.

And here's something that should provide some peace of mind: over 80 percent of the vulnerabilities discovered by security researchers aren't exploited.

So what are attackers targeting? Find out on page three.

The most common targets include web applications (notably via cross-site scripting and SQL injection) and web browsers (especially via plug-ins, and most often through web exploit toolkits rather than independent exploits).

According to the report, "attackers still have a lot of incentive to target Microsoft components, and Internet Explorer remains the most targeted Web browser."

It's interesting to note that the five most prevalent web browser exploits all target old vulnerabilities. Indeed, three of them exploit vulnerabilities first disclosed in 2006. That should not come as a great surprise. Previous research by ETH Zurich, Google and IBM found more than half of Internet Explorer users were on an outdated version, and then there's the effort required to keep all plug-ins up to date.

WEBINAR event: IT Alerting Best Practices 27 MAY 2PM AEST

LogicMonitor, the cloud-based IT infrastructure monitoring and intelligence platform, is hosting an online event at 2PM on May 27th aimed at educating IT administrators, managers and leaders about IT and network alerts.

This free webinar will share best practices for setting network alerts, negating alert fatigue, optimising an alerting strategy and proactive monitoring.

The event will start at 2pm AEST. Topics will include:

- Setting alert routing and thresholds

- Avoiding alert and email overload

- Learning from missed alerts

- Managing downtime effectively

The webinar will run for approximately one hour. Recordings will be made available to anyone who registers but cannot make the live event.



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Stephen Withers

joomla visitors

Stephen Withers is one of Australia¹s most experienced IT journalists, having begun his career in the days of 8-bit 'microcomputers'. He covers the gamut from gadgets to enterprise systems. In previous lives he has been an academic, a systems programmer, an IT support manager, and an online services manager. Stephen holds an honours degree in Management Sciences and a PhD in Industrial and Business Studies.



Recent Comments