By Joris Evers
Staff Writer, CNET News.com
October 11, 2006
It isn't over yet, but 2006 is already a record year when it comes to
There is, however, a silver lining: A smaller chunk of the flaws are
Last year, researchers at Internet Security Systems identified 5,195
vulnerabilities in software. On Monday, the count for this year stood at
5,450, according to the Atlanta-based company's survey, and the
projected total for the whole of the year is almost 7,500 bugs.
"Three-quarters through the year, 2006 is looking to be a huge jump in
terms of security vulnerabilities," said Gunter Ollmann, director of
X-Force, the research and development group at ISS.
The number of problems found has increased as bug hunters and software
makers have become more skilled at finding them and as access to
automated audit tools has improved, Ollmann said. Also, there is more
code to comb for security holes, because people use more complex
software than ever.
Atlanta-based ISS, which is being acquired by IBM, predicts there will
be a 41 percent increase in confirmed security faults in software
compared with 2005. That year, in its own turn, saw a 37 percent rise
But there is some good news as well: While there will be an overall jump
in the number of security vulnerabilities, it will be accompanied by a
fall in the percentage of bugs rated "critical" or high-risk, Ollmann
According to Ollmann, severe flaws like these accounted for 28.4 percent
of all security holes last year. By comparison, they make up only 17
percent of the flaws identified this year up to Monday, and that
percentage is expected to be the same for the full year.
"This is probably the most positive part of the vulnerability trend,"
Ollmann said. "In previous years, there was an upward trend in the
number of critical and high-risk vulnerabilities."
ISS's description of a rise in flaws is backed up by other security
companies. VeriSign's iDefense and eEye Digital Security also said they
have seen an increase in vulnerabilities this year. Another indication
of an increase comes from Microsoft's security bulletins. The software
maker issued 55 in the first three quarters of this year, compared with
45 in all of 2005.
In addition, Symantec's Internet Security Threat Report says 2,249 new
vulnerabilities were documented in the first six months of 2006, up 18
percent over the second half of 2005. That's the highest number ever
recorded for a six-month period, the security company said. Eighty
percent of newly disclosed issues were considered easily exploitable,
and the window of exposure for enterprise flaws was 28 days.
More security vulnerabilities mean more opportunities for cybercrooks
and more headaches for people creating and applying security patches,
"You have to protect against every single one of those vulnerabilities,
while an attacker needs to find only one to stage an attack," Ollmann
said. "The more vulnerabilities that are disclosed, the more at risk you
Warming up to fuzzers
Critical and high-risk vulnerabilities are those that could let a
network worm spread by itself, or could allow an anonymous attacker to
remotely gain control over a computer without the user taking any
action. As well as a percentage drop, ISS projects a fall in the
absolute number of these types of bug in 2006, which anticipate 1,265
compared with 1,475 last year.
The drop in the most serious flaws can be attributed, in part, to
better-built software. "Software is becoming more secure," Ollmann said.
Also, many bug hunters have started using automated tools called
'fuzzers,' which often turn up flaws that end up being rated
medium-risk," he said.
For example, a fuzzing tool could be used to test how a specific
application handles a certain file format, such as the JPEG and GIF
image formats. If that application--say, a Web browser--returns an
error, the error could point to a vulnerability that could be used as
the basis for an attack. To exploit this flaw, however, the attacker
will often have to trick the victim into opening a malformed file.
Fewer of the most-serious flaws are being discovered in operating
systems, said Steve Manzuik, an eEye representative. However, there are
more being uncovered in other kinds of software.
"We have seen an increase in critical client-side flaws such as ones in
Internet Explorer, QuickTime, and Office applications," he said.
The overall dip in severe flaws may be short-lived, Ollmann said. When a
major new software product ships, the count of critical bugs typically
spikes, he noted. In January, Microsoft's new Windows Vista, the
operating system successor to XP, is slated to be broadly available.
Microsoft has tagged Vista as the "most secure version of Windows ever."
"I think that certainly in the first half of 2007, we will see an
increase in percentage terms of high-risk and critical vulnerabilities,"
Ollmann said. "That will most likely be associated with the release of
It isn't just the most serious flaws that people need to worry about,
noted Ken Dunham, director of the rapid response team at iDefense. "This
year has been unprecedented in terms of zero-day attacks," he said.
"There is a much larger number of medium-level vulnerabilities today,
and many of those are being used in attacks."
Zero-day attacks use previously unknown flaws that have yet to be fixed.
Many of them take advantage of the type of security hole that can be
found using a fuzzer.
Such mid-level vulnerabilities are being used in two main types of
attacks. Consumers are targeted via malicious Web sites that try to
silently install spyware or other nefarious software such as keystroke
loggers and bots, Dunham said. Businesses are being targeted directly,
with small-scale attacks that use rigged Word documents, for example, he
"Consumers can count on Web-based attacks, while the scary part for
organizations is that they are being targeted specifically by certain
attackers," Dunham said.
Copyright 1995-2006 CNET Networks, Inc. All rights reserved.
Visit the InfoSec News store!