Application Security
2/27/2014
11:00 AM
Connect Directly
RSS
E-Mail
100%
0%

IBM Software Vulnerabilities Spiked In 2013

Most code flaws still involve non-Microsoft products, and overall patching speed has improved, study presented at RSA conference finds.

Did the number of vulnerabilities reported in IBM products jump by 400% from 2012 to 2013?

That finding comes from a new study, released Wednesday by vulnerability management security firm Secunia at the RSA conference, of the top types of software vulnerabilities facing enterprise networks. That information is crucial for helping IT administrators prioritize which applications and operating systems to patch first.

Overall, Secunia received reports on 13,073 new vulnerabilities in software products in 2013 -- comprising 2,289 products from 539 different vendors -- and said 16.3% of the bugs were rated "highly critical," meaning they can be used to remotely exploit systems. Finally, 0.4% of the vulnerabilities rated as "extremely critical," meaning bugs that could remotely exploit systems and which were also being actively targeted by in-the-wild attacks.

From 2012 to 2013, the total number of vulnerabilities seen by Secunia increased by 32%. Secunia officials said the spike largely stemmed from vulnerabilities reported in IBM products jumping from 772 bugs in 2012 to 4,181 bugs in 2013. Of those, 74% could be used to attack a remote network, 20% a local network, and 7% a local system.

[Don't miss any of the news coming this week from the annual RSA Conference. See RSA Conference 2014: Complete Coverage.]

Asked to comment on Secunia's findings, IBM offered a different set of statistics, based on counting any given vulnerability, even if present in more than one of its products, only once. "It's important that these vulnerabilities are measured accurately," said IBM spokeswoman Nicole Trager via email. "IBM reports unique vulnerabilities -- each unique vulnerability could affect more than one IBM product."

Using that approach, the total number of vulnerabilities reported in IBM's products increased by 260%, rather than the 400% seen by Secunia. "In 2012, there were approximately 250 vulnerabilities reported by IBM," Trager said. "In 2013, there were approximately 650 vulnerabilities reported by IBM. In both 2012 and 2013, approximately one-third of these vulnerabilities are Java vulnerabilities."

(Image credit: Purple Slog.)
(Image credit: Purple Slog.)

Regardless of whether the Secunia or IBM approach is used to count bugs, what accounts for the significant increase in the number of vulnerabilities that were found in IBM's products last year? "Honestly, we don't know," said Morten Stengaard, CTO of Secunia, in an interview at the RSA information security conference this week in San Francisco. One potential explanation is that there were more third-party products bundled into IBM's offerings, in which bugs were found. But Stengaard said the increase doesn't seem to square with a sudden spike in third-party software vulnerabilities being reported, for example in Java.

The IBM question aside, there is good news in the report. Secunia found that a patch was released for 79% of all vulnerabilities on the same day that the vulnerability was publicly disclosed, compared to 70% in 2012. Likewise, 86% of the vulnerabilities discovered in the top 50 most popular products and operating systems were also patched on the day of disclosure, although that was a slight decrease from 90% in 2012. Regardless, fast patching is good news for IT administrators, because it means they can apply patches before attackers have a chance to reverse-engineer and exploit the underlying vulnerabilities.

As that suggests, patch management is a never-ending task, involving not just Microsoft's monthly Patch Tuesday -- which also typically sees patches issued by Adobe, for example for Flash and Shockwave -- as well as quarterly patches from Oracle, and all the patches vendors issue on a purely ad hoc basis.

Continuing an ongoing trend, in 2013 Microsoft's products -- which made up 33 (66%) of the 50 most popular applications -- accounted for a relatively low number of vulnerabilities. For example, of the vulnerabilities affecting the 50 most-used PC applications on private PCs in 2013, Secunia found that only 16% of the bugs affected Microsoft products or operating systems, up from 8% in 2012. The increase was largely due to Windows 8 bundling more third-party software than Windows 7, as well as more Microsoft applications being among the top 50. The other vulnerabilities affected operating systems (5.5% of all total vulnerabilities) but were overwhelmingly due to non-Microsoft applications (86%).

What's the takeaway from those findings? According to Secunia's Stengaard, many IT managers put the greatest emphasis on patching Microsoft and Adobe applications: "So on Patch Tuesday, they go to work, but then they're only mitigating 25% of the risk."

What happens, however, if a vulnerability is reported, but no patch is yet available? In that case, when possible, consider uninstalling the vulnerable application and using an alternative. For example, Secunia CEO Peter Colsted, in an interview at RSA, said that after a zero-day attack against Adobe Reader surfaced last year, Secunia deleted the application from its employees' PCs and temporarily installed an alternative, free PDF reader instead. About a week later, after Adobe released a patched version of Reader, Secunia reinstalled the software.

Having a wealth of data is a good thing -- if you can make sense of it. Most companies are challenged with aggregating and analyzing the plethora of data being generated by their security applications and devices. This Dark Reading report, How Existing Security Data Can Help ID Potential Attacks, recommends how to effectively leverage security data in order to make informed decisions and spot areas of vulnerability. (Free registration required.)

Mathew Schwartz is a freelance writer, editor, and photographer, as well the InformationWeek information security reporter. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
2/27/2014 | 7:45:53 PM
Re: Microsoft bugs are like airplane crashes ...
I like your airplane analogy! :) But yes, credit to Microsoft for doing a good job tackling the bugs.  Security programming still hasn't reached enough of a "baked in" status in enough organizations.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
2/27/2014 | 12:14:46 PM
Re: Microsoft bugs are like airplane crashes ...
I couldn't agree more. One consistently sounded note -- by security experts -- at this week's RSA conference in San Francisco has been praise for how well Microsoft has cracked down on bugs in its products. If more businesses had a hardcore secure development lifecycle or "trustworthy computing" culture we'd have to deal with a lot fewer of these bugs.
David F. Carr
100%
0%
David F. Carr,
User Rank: Apprentice
2/27/2014 | 11:31:53 AM
Microsoft bugs are like airplane crashes ...
Microsoft bugs are like airplane crashes ... good that they're rarer than we might imagine, but they take more people down with them when they happen.

Still, Microsoft deserves more credit than it usually gets for tightening up software security.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
DevOps’ Impact on Application Security
DevOps’ Impact on Application Security
Managing the interdependency between software and infrastructure is a thorny challenge. Often, it’s a “developers are from Mars, systems engineers are from Venus” situation.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0972
Published: 2014-08-01
The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write ...

CVE-2014-2627
Published: 2014-08-01
Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors.

CVE-2014-3009
Published: 2014-08-01
The GDS component in IBM InfoSphere Master Data Management - Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct ph...

CVE-2014-3302
Published: 2014-08-01
user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708.

CVE-2014-3534
Published: 2014-08-01
arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a c...

Best of the Web
Dark Reading Radio