Report: MS, Apple, Oracle Are Top Vulnerable Vendors

[InfoSec News <alerts () infosecnews org>]

http://www.eweek.com/article2/0,1895,2184206,00.asp

By Lisa Vaas
September 17, 2007 

New IBM research shows that five vendors are responsible for 12.6 
percent of all disclosed vulnerabilities.

Not surprising: In the first half of 2007, Microsoft was the top vendor 
when it came to publicly disclosed vulnerabilities. Likely surprising to 
some: Apple got second place.

IBM Internet Security Systems' X-Force R&D team released its 2007 report 
on cyber attacks on Sept. 17, revealing that the top five vulnerable 
vendors accounted for 12.6 of all disclosed vulnerabilities in the first 
half of the yearor 411 of 3,272 vulnerabilities disclosed.

Here's the order in which the top 10 vendors stacked up, by percentage 
of vulnerabilities publicly disclosed in the first half of the year:

Microsoft, 4.2 percent
Apple, 3 percent
Oracle, 2 percent
Cisco Systems, 1.9 percent
Sun Microsystems, 1.5 percent
IBM, 1.3 percent
Mozilla, 1.3 percent
XOOPS, 1.2 percent
BEA, 1.1 percent
Linux kernel, 0.9 percent

The report also says that 21 percent of vulnerabilities disclosed by the 
top 5 vendors remain unpatchedup from a year ago, when only 14 percent 
of the top vendors' vulnerabilities stayed open in the same timeframe.

While that might seem alarming, it's notable that 60 percent of 
vulnerabilities from all other vendors found in the first half of the 
year remained unaddressed.

The vast majority90 percentof the 3,273 vulnerabilities reported in the 
first half of the year can be exploited remotely. And more than half51.6 
percentof the vulnerabilities found would give an attacker access to the 
host after exploitation.

In other findings, one surprise was that for the first time ever, 
there's been an actual decrease in the number of vulnerabilities 
reported. The total of 3,273 vulnerabilities found represents a 3.3 
percent decrease over the first half of 2006.

X-Force Director Kris Lamb told eWEEK that there are a few things at 
play that likely have contributed to the decrease. One factor is that 
nowadays researchers have at their disposal much more polished 
bug-finding techniques. One such technique is fuzzing: the use of 
automatic tools to find vulnerabilities.

As such tools become more mainstream, Lamb said, we are likely hitting 
the saturation point as far as finding the low-hanging fruit goes.

"[The functionality of] tools are still being expanded, but they were 
used in early years to find easier-to-find, medium- and high-[risk] 
vulnerabilities," he said. "It doesn't mean there aren't more bugs to be 
found, but the bugs out there are harder to find, and they take a more 
specialized skill set to find."

The decrease in reported vulnerabilities could also be a reflection of 
the trend to monetize exploits in the underground marketplaceand in the 
above-ground marketplace as well. The disclosure of bugs could be taking 
longer since they're being sold or traded, he suggested, on sites such 
as Wabisabilabi, an eBay-like bug market launched in July.

"There's the potential for vulnerabilities to not see the light of day 
either as quickly as they used to or [at all], as a result," Lamb said.

Where spam and phishing is concerned, X-Force found that the top spam 
spewers worldwide are the United States, Poland and Russia. Analysis of 
IBM ISS' content filtering services and the millions of e-mail addresses 
it actively monitors shows that the United States accounts for 
originating one-eighth of all worldwide spam. Here's how the rest of the 
world breaks down, spam sender-wise:

United States, 13.2 percent
Poland, 7.1 percent
Russia, 5.9 percent
Germany, 5.9 percent
South Korea, 5.7 percent
China, 5.4 percent
Brazil, 4.5 percent
Italy, 4.0 percent
France, 3.8 percent
Turkey, 3.0 percent

But the map of where spam URLs are hosted looks very different. The 
United States is still tops in this categoryit's home to 34.7 percent of 
the points from which spam URLs are hostedbut the rest of the world 
breaks down differently, with China moving to its usual position at or 
near the top of such maps:

United States, 34.7 percent
China, 12.7 percent
South Korea, 5.9 percent
France, 5.3 percent
Hong Kong, 3.6 percent
Canada, 2.9 percent
United Kingdom, 2.6 percent
Russia, 2.6 percent
Hungary, 2.2 percent
Netherlands, 2 percent

The X-Force is also seeing a first-time dip in byte size for spam. This 
is a trend that reflects the decrease in image-based spam, as senders 
hop around in an effort to avoid content filters by instead sending spam 
messages embedded in PDFs, Excel or other file formats, Lamb said.

"That's very effective, initially, at bypassing a lot of traditional 
filtering technology," Lamb said. 


__________________________________________________________________      
CSI 2007 is the only conference that delivers a business-focused
overview of enterprise security. It will convene 1,500+ delegates,
80 exhibitors and features 100+ sessions/seminars providing a
roadmap for integrating policies and procedures with new tools
and techniques.  Register now for savings on conference fees   
and/or free exhibits admission. - www.csiannual.com