Risk // Compliance
2/20/2013
01:04 AM
Connect Directly
RSS
E-Mail
50%
50%

Lessons Learned From A Decade Of Vulnerabilities

A pair of reports look at the trends in vulnerability disclosure over a decade or more. Here are four lessons from the data on more than 50,000 flaws

In 2012, the number of publicly reported software vulnerabilities jumped by 26 percent, the biggest increase in security issues in five years.

Bad news? Not necessarily. While the past decade of vulnerability disclosures saw the reversal of a five-year decline, it also marked a reduction in the number of easily exploitable, critical severity flaws. Two reports -- one released earlier this month and another scheduled for release next week -- analyzed the trends over the past decade or more and noted both positive and negative trends in software security.

The reports highlight the fact that vulnerabilities will not go away and that companies must find ways to minimize their impacts, says Stefan Frei, research director of NSS Labs, a security consultancy.

"Vulnerabilities are here to stay," he said. "I don't think that in five years time we will have eliminated vulnerabilities from any software product."

In its report released in early February, NSS Labs analyzed almost 54,000 vulnerabilities in nearly 21,000 software products using data from the National Vulnerability Database (NVD). Next week, network-security firm Sourcefire plans to release its own analysis spanning more than two decades of software flaws.

Both reports find that the number of publicly reported software vulnerabilities peaked in 2006, and then declined during the next five years. In 2012, however, the tally of software flaws jumped -- by more than a quarter, according to NSSLabs' analysis.

Here are four lessons from the data, according to the experts who crunched the numbers.

1. Focus on security reduces exploitability, severity.
First the good news: Easily exploitable, critical severity vulnerabilities are increasingly uncommon.

In 2012, less than half of all vulnerabilities were easily exploitable, down from approximately 95 percent in 2000. In addition, fewer high severity flaws were found: The number of vulnerabilities with a score on the Common Vulnerability Scoring System (CVSS) of 7.0 or higher dropped to 34 percent of reported issues in 2012, down from a high of 51 percent in 2008.

The numbers indicate "a clear -- but slowing -- trend towards an increase in attack complexity," Frei stated in the NSS Labs' report.

2. Still more than enough flaws.
While there are thousands of software vulnerabilities out there, opportunistic attackers tend to exploit only a dozen or two in any single year -- typically those exploits baked into cybercriminal toolkits.

Unfortunately, there are more than enough highly critical flaws to go around. In 2012, more than 9 percent of the publicly reported vulnerabilities had both a CVSS score of 9.9 and a low attack complexity, according to NSS Labs' analysis. Adobe, Mozilla, and Oracle -- the company that supports Java -- are the developers with the most easy-to-exploit vulnerabilities, accounting for almost half of the high-severity issues.

"You take all these thousands of vulnerabilities, and maybe only a dozen are being regularly exploited," says Zulfikar Ramzan, chief scientist at Sourcefire.

Companies should focus on fixing or mitigating the vulnerabilities that are included in exploit kits, he says.

3. New developers, new technology are fertile fields.
New technologies have always posed as potential fodder for vulnerability research; as a constant incubator of new technologies and frameworks, the Web is a steady source of software vulnerabilities, says Jacob West, chief technology officer of Hewlett-Packard's Enterprise Security Products group, which plans to release its own vulnerability analysis at the coming RSA Conference.

In the past decade, four of the top six vulnerabilities were Web-based software issues, he says. Today, more than half of Web sites are vulnerable to cross-site scripting issues.

[While zero-day attacks -- targeting previously unknown and unpatched vulnerabilities -- are a wide concern, companies need to test their security against known vulnerabilities as well. See More Exploits For Sale Means Better Security.]

"Enterprise applications are on a slower life cycle -- they are slower to patch," West says. "The other side of that coin, however, is that something like the Web, with an agile life cycle, can be updated faster, but may be more likely to have security holes introduced."

Other technologies that have yet to have mature, secure development life cycles are mobile applications and industrial control systems, he says.

4. Private markets competing for disclosure.
The decline in highly critical vulnerabilities may not necessarily be good news. HP and NSS Labs both theorize that security intelligence startups created by vulnerability researchers as well as other channels for private sales have culled some of the best vulnerabilities from being publicly disclosed.

"There is a bigger markup for critical vulnerabilities than there use to be," HP's West says. "There are black markets; there are private sources. So we think a lot of those high criticality vulnerabilities are being siphoned off."

The number of high severity vulnerabilities sold through the two most popular white-market programs, HP TippingPoint's Zero Day Initiative and iDefense's Vulnerability Contributor Program, peaked in 2011 at 18 percent, and fell last year to 6.3 percent. Since 2005, the programs have disclosed an average of 7 percent of high-severity issues.

The trend "correlates with reports of the vulnerability and exploit market rapidly expanding in 2012," the NSS Labs' report states. "These changes in the security industry likely affect the share of established programs and could change the dynamics of the vulnerability handling processes in the future."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4594
Published: 2014-10-25
The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment.

CVE-2014-0476
Published: 2014-10-25
The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option.

CVE-2014-1927
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928....

CVE-2014-1928
Published: 2014-10-25
The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "\" (backslash) characters to form multi-command sequences, a different vulner...

CVE-2014-1929
Published: 2014-10-25
python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to "option injection through positional arguments." NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.