Internet Security Systems - AlertCon(TM)

The End of 2006 - A Record 7247 Vulnerabilities!

Posted by Gunter Ollmann on January 02, 2007 at 6:36 PM EST.

Well, that it - it's over.  2006 is now but a distant memory.

Today, being the first day back at work, it was time to tally up the penultimate vulnerability statistics for 2006.  It feels a little like someone should be reading a sealed envelope and a drumroll should be playing in the background, but the final count for vulnerabilities in 2006 was a whooping 7,247.  That's a 39% increase over 2005! (...and we threw out hundreds more because in a lot of instances the public disclosures were either redundant or incorrectly labeled as security vulnerabilities)

Wow! That's certainly kept the X-Force research teams busy!

I noticed that several security vendors released their 2006 security reports before the year actually ended - I guess in their rush to be the first out with their predictions (I think we all guess that Spam, Phishing, Vulnerabilities and Malware will continue their exponential growth - following the same trend for the last half-decade) they figured that nothing would happen in the last half of December.  But what about the numbers?

One organization, entrusted by their customers to provide them with security information, published before the year ended and state that there were 5128 vulnerabilities in 2006.  Well, sorry, but either they stopped researching and cataloguing vulnerabilities way back in August, or they missed a couple of thousand throughout the year.  Whoops!

So, there you go, 7247 vulnerabilities.

Finger-in-the-air? The jury is out, but I'd say the odds are pretty even that we'll break the 10,000 barrier for new vulnerabilities in 2007. Ouch!

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.