Number of vulnerabilities on the rise
Introduction
In August IBM Security X-Force published its Mid-Year Trend and Risk Report. The X-Force reports are always interesting reading, and this latest addition maintains the high standards. Lots of topics are discussed in the report. In our security article, we shall however focus on one particular finding.
Vulnerability disclosures
In the report a vulnerability is defined as:
a set of conditions that leads or may lead to an implicit or explicit failure of the confidentiality, integrity, or availability of an information system
The number of disclosures is on the rise
X-Force analyzed more than 4 000 vulnerabilities in the first half of 2010. This is the highest number ever, and an astonishing 36% increase compared to first half 2009.
X-Force speculates about reasons for this drastic increase, and points out that both software vendors and other groups report more vulnerabilities than before. According to the report there is particularly one group has been extremely active to disclose vulnerabilities so far in 2010 compared to previous year.
Patching status
We know that when information about a particular vulnerability is disclosed, malware that exploits this appears quickly. The length of time a known vulnerability remains unpatched is therefore crucial seen from a security point of view.
More than 50% of all vulnerabilities that were disclosed during the first half of 2010 remain unpatched at the end of the period. This number is uncomfortably high.
The vendors of the most popular applications / operating systems are also present on the list of most unpatched vulnerabilities, for example Microsoft, Mozilla and Apple. One should however note as postitive that these three vendors perform quite good in comparison with others regarding patching high and critical vulnerabilities, which after all is most important.
We know from other studies that it takes a substantial length of time before the majority of users patch their applications even when a security update is available. This lag in patching indicates that the percentage of unpatched systems is even higher than the percentage of unpatched applications.
Implications and protection techniques
Seen from a cyber criminal's point of view it seems wise to continue to focus on vulnerabilities in software when she creates her malware.
The real-world situation seems to comply with this theory, as exploitation of software vulnerabilities is an extremely important way to infect systems with different types of malware.
Seen from the end user's point of view on the other hand, there are three ways to approach this issue. All of these should be applied as they are not mutually exclusive, rather complimentary.
- Update the systems with security patches as soon as possible when they are available
There is no need to leave your operating system and applications unprotected when the software vendor has published a more secure version.
- Use updated security software (e.g. antivirus/antispyware) to protect your systems against malware
Security software will usually protect you against malware utilizing a vulnerability before the software vendor has been able to fix the vulnerability that the malware utilizes.
- Use common sense and sound skepticism
There are several techniques, which will protect you from many perils, that you can implement regarding your own behavior. See these two security articles for some useful suggestions:
One may also add a forth option: Revove the vulnerable application and install a more secure product, which is less vulnerable.
In many situations alternative applications do not exist. Whenever they do, however, this option should be considered.
Final words
X-Force's report for first half 2010 sums the security situation up eloquently in its overview:
(...) one thing in this vastly changing world remains constant: attackers continue to take advantage of the rapid pace of technology for financial gain, including theft of intellectual property.
We concur!
References
