Internet Security Systems - AlertCon(TM)

Vulnerability Avalanche

Posted by Gunter Ollmann on October 03, 2006 at 2:53 PM EDT.

2005's vulnerability record was broken in September 2006.

Last year was the biggest EVER for new vulnerabilities, with X-Force identifying and analyzing 5,195 of them.  Actually, the number would have been higher, but there were a lot of disclosures labeled as ‘vulnerabilities’ which were in fact bogus claims by their authors - and nothing more than bugs – but still had to be researched.

Anyhow, at 08:01:26am on Monday 25th September, X-Force analyzed and catalogued the 5,196th vulnerability for 2006 (not including bogus claims).  So, we’re only three-quarters of the way through the year, still having to deal with the busiest quarter of the year, and we’ve already thrashed last year’s record.  Based upon this trend, we’re probably looking to be between 7,000 and 7,500 by the end of the year.

That’s not particularly good news for any organization's security team and, let me tell you, it’s pretty tough on the guys and girls over here in X-Force who have to analyze and research them all.

Still, it would be easier if more of those wannabe security researchers out there - armed with their fuzzers and a copy of ‘The shellcoders handbook’ - knew enough about their own security findings (and future trade?) to go beyond “it may be exploitable.” I mean, it doesn’t normally take that much effort to investigate these things (for example, reading other peoples exploit code for hints to figure out how heap-spraying works).  Perhaps they haven’t gotten to that chapter in their book yet?

That said, it can be fun since a sizable percentage of these vulnerability disclosures stop short of uncovering ‘interesting’ vulnerabilities – that is, the initial researcher spotted the lame information disclosure or DoS condition, but missed the 3+ remote code execution bugs sitting in the same procedure call.  Suits me – and all the penetration testers I know.  :-)

BTW, the 5196th vulnerability analyzed by X-Force for 2006 was associated with the FiWin SS28S WiFi VoIP SIP/Skype phone – who said vulnerability research wasn’t sexy?

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.