Full Disclosure mailing list archives
Are the number of vulnerabilities going up? is Symantec counting wrong?
From: Henrik Lund Kramshøj <hlk () kramse dk>
Date: Thu, 6 Feb 2003 15:54:55 +0100
Hi there In todays mail I read from SECURITY WIRE DIGEST, VOL. 5, NO. 10, FEBRUARY 6, 2003 that *NEW REPORT: ATTACKS DOWN, VULNERABILITIES UP Attacks on Internet-connected machines were down, while the number of exploitable software vulnerabilities went up--way up--during the second half of 2002, according to a biannual report by enterprise securitysolutions provider Symantec. The 30-attacks-per-week average for companies
monitored by the AV software giant represents a 6 percent drop from the first half of 2002. Less than 2 percent of all incidents reported represented aggressive attacks, while a whopping 85 percent were morealong the lines of probes for holes to exploit, according to the Internet
Security Threat Report. Along those lines, Symantec recorded more than2,500 newly identified vulnerabilities in various software products during
all of 2002, an 81.5 percent increase over the previous year. http://enterprisesecurity.symantec.com/content.cfm?articleid=1539 what is going on here? I have read this several places now, and it bugs me if you go read the report, its says stuff like: "The total number of new, documented vulnerabilities in 2002 was 81.5% higher than in 2001." "Symantec documented 2,524 new vulnerabilities over the past year, which amounted to an 81.5% increase over 2001." I guess they mean that securityfocus, owned by Symantec now,copied from bugtraq mail folder to their website, and thereby "documented".
but what is going on here, if I read the statistics at http://icat.nist.gov/icat.cfm?function=statistics It says Total Vulnerability Count Year Vulnerability Count 2003 34 2002 1307 2001 1506 2000 990 so 1307 vulns for 2002, down from 1506 in 2001! as a rule of thumb I sometimes say the number of known vulnerabilities currently grow by "about" 100 new per month. Can someone explain this? - or does Symantec have a load of vulns they haven't disclosed yet ;-) I know that securityfocus is sometimes ahead of CVE, which is fine, but why does ICAT/CVE say 1307 vulns for 2002, while Symantec say 2500?Is this just to stir up some fear and sell more products (not that I have anything against their products, and I buy their antivirus regularly for people I know)
Best regards -- Henrik Lund Kramshøj hlk@{kramse.dk|inet6.dk|sikkerhedsforum.dk|security6.net} Please read email policy at http://www.kramse.dk/email _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Are the number of vulnerabilities going up? is Symantec counting wrong? Henrik Lund Kramshøj (Feb 06)
- <Possible follow-ups>
- Re: Are the number of vulnerabilities going up? is Symantec counting wrong? Henrik Lund Kramshøj (Feb 06)
- Re: Are the number of vulnerabilities going up? is Symantec counting wrong? Steven M. Christey (Feb 06)
- Re: Are the number of vulnerabilities going up? is Symantec counting wrong? Steven M. Christey (Feb 06)