[ISN] Computers' Insecure Security

InfoSec News isn at c4i.org
Wed Jun 22 02:44:43 EDT 2005

Forwarded from: security curmudgeon <jericho at attrition.org>
Cc: dailydave at lists.immunitysec.com

: http://www.businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm
: By Sarah Lacy
: June 17, 2005
: Software meant to protect PCs are now attack targets, revealing a rising 
: number of flaws -- even more than those of Microsoft products

: A new Yankee Group report, to be released June 20, shows the number of 
: vulnerabilities found in security products increasing sharply for the 
: third straight year -- and for the first time surpassing those found in 
: all Microsoft (MSFT ) products. The majority of these weaknesses are 

Already on unstable grounds with this wording. Journalists (and security 
folks) need to remember the difference between 'found' and 'reported' and 

: SAME EXCUSE.  Last year, researchers found 60 flaws in a variety of 
: computer-security programs, almost double the 31 vulnerabilities 
: discovered in 2003, according to Andrew Jaquith, a Yankee senior analyst 
: who culled a national database of reported software vulnerabilities. 

*Sigh*, some day I will learn to smile and nod and not feel the need to 
reply to these studies. Until that time..

Cliff notes: 2004, 60 flaws in computer-security programs
             2003, 31 flaws in computer-security programs
             unnamed nation database of vulnerabilities

Culling a database is easy. Making a list of security products to search 
for in the first place might be a real chore. Moving past that, defining a 
vulnerability would be a key here, as CVE might group a few issues into 
one entry, and another database like X-Force or OSVDB may split them out 
into seperate entries. Last, what about products such as 'tcpdump' or 
'ethereal'? Are these classified security products or administrative 

Without this information, this article is basically fluff that can't be 
reasonably understood or trusted without the full report. Fortunately, I 
waited long enough to reply for the details to be released.


We see that they use CVE and iCat for their data, but do not address the 
fact that CVE can merge seperate vulnerabilities into a single entry, nor 
do they address other questions above. iCat uses the CVE database and just 
adds some metrics.

Some interesting points in this research:

  Yankee Group analysis of a well-known public vulnerability data source, 
  ICAT, suggests that flaw finders have shifted their focus toward 
  security products.

60 flaws in 2004, according to Yankee Group, and they say there is a shift 
to security product vulnerability research? Compare that to the 
total number of vulnerabilities released, and this is easily debated.

  From 2004 to May 2005 in particular, 77 disclosed vulnerabilities 
  affected a wide array of security products. The incidents increased far 
  faster than the rate for Microsoft (see Exhibit 1).

This is a little misleading. First and second quarter of 2004 show 
security products going down, then taking a turn and moving up for 
third/fourth quarter of 2004, and heading back down for 2005. I'm not a 
statician, but this doesn't seem like a *trend* to me.

  Check Point and F-Secure saw a large increase in vulnerabilities in 2004 
  compared to the previous year, while vendors such as McAfee saw a 
  significant decrease.

A quick search (by vuln title) of OSVDB.org shows:

		2003	2004
Check Point 	1	6
F-Secure	1	10
McAfee		6	7

So two out of three on these statements, not bad! McAfee has had an 
increase it seems, just not so dramatic as F-Secure or Check Point.

: Through May, 2005, 23 software glitches have been counted -- already up 
: 50% over last year. And that figure doesn't include those yet to come 
: this summer, when the biggest attacks are usually launched. So far this 
: year, researchers have only found 22 vulnerabilities in Microsoft's 
: products.

iCat shows 2005 + "microsoft" having 54 entries and OSVDB.org shows 86 so 
far this year. Listing 22 vulnerabilities for Microsoft is what.. going by 
Microsoft Security Bulletins? MS05-034 being the latest, and 025-034 
possibly being released after the research was completed.. suggests that 
might be the case. Anyone familiar with MS advisories know they can 
contain multiple vulnerabilities, even by CVE designation. So is the use 
of "22 vulnerabilities in Microsoft's products" creatively switching to a 
different method for counting?

So far this research seems poorly done, so I hate to add fuel to the 
fire.. but if you search OSVDB.org for security products (and use a good 
list), you will find a lot more than mentioned in this report.

There are already 17 vulnerabilities listed in 2005 searching for 
"firewall", compared to the 23 mentioned by Yankee Group. Branch out into 
other security products and you are well over 23. 

: Symantec (SYMC ) has had the most reported vulnerabilities, with 16 
: documented last year (see BW Online, 6/17/05, "A New Frontier for 
: Hackers?"). But so far this year, it has fared better: Through May, only 
: two vulnerabilities were reported.

Err, 43 Symantec issues in 2004... and 10 in 2005..

: BRAGGING RIGHTS.  Still, Symantec is a target because it's the market 
: leader. Hackers generally want to crack programs with the largest 
: installed base -- thus offering the maximum impact for their exploits. 
: That's one of the rationales Microsoft has used to explain why its 
: products seem to have so many reported security glitches. But Jaquith 
: points out that McAfee, the second-largest security player, decreased 
: its vulnerabilities over the last year. "This is a leading indicator of 
: the relative quality of the two products," he argues.

2005, two McAfee reported vulns.. 2004, seven reported. That still leaves 
almost six months for the numbers to be the same. Hard to predict a trend 
off such limited data, especially when Yankee Group says:

  And that figure doesn't include those yet to come this summer, when the 
  biggest attacks are usually launched.

: ISS has only had three vulnerabilities in its history, but Noonan calls 
: it a wake-up call nonetheless. 

Huh?! Read the damn Yankee Group report! "One firm -ISS- accounted for 
four of these." Failing that, search a vulnerability database for ISS 
products and that "three" figure goes out the window.

ISS RealSecure / BlackICE Rule Name Field Local [..]	Apr  8, 2005	
BlackICE/PC Protection Unprivileged User Local DoS	Aug 14, 2004	
TCP Reset Spoofing					Apr 20, 2004	
ISS RealSecure Network Sensor Malformed DHCP Packet DoS	Apr  8, 2004	
BlackICE Insecure Default Configuration Weakness	Mar 31, 2004
BlackICE NIC Protection Failure				Mar 31, 2004
ISS PAM Component ICQ Protocol Parsing Overflow		Mar 18, 2004	
ISS Multiple Products SMB Packet Handling Overflow	Feb 27, 2004	
RealSecure/BlackICE PAM Module SMB Packet Overflow	Feb 24, 2004
BlackICE PC Protection blackd.exe Local Overflow	Jan 28, 2004	
BlackICE PC Protection Upgrade File Permission Weakness	Jan 28, 2004
ISS RealSecure Server Sensor HTTPS Request DoS		Sep  8, 2003	
ISS RealSecure Server Sensor ISAPI Plug-in DoS		Sep  8, 2003	
BlackICE Defender XSS Detection Evasion			Jun 17, 2003
ISS Security Scanner HTTP Remote Overflow		Sep 18, 2002	
ISS ICEcap Default Password				Sep 12, 2002	
BlackICE tcp.maxconnections Memory Consumption DoS	Jun 19, 2002
BlackICE Agent System Standby Failure			Jun  6, 2002	
BlackICE / RealSecure Large ICMP Ping Packet Overflow	Feb  4, 2002
ISS RealSecure Network Sensor Non-Standard [..]		Sep  5, 2001	
ISS RealSecure Server Sensor Non-Standard [..]		Sep  5, 2001	
ISS RealSecure Fragmented SYN Packet DoS		Aug 22, 2000	
BlackICE UDP Port Block Delay				Jun 20, 2000  *
ISS Security Scanner Installer Temporary File Symlink	Feb 20, 1999	
ISS Security Scanner Fingerd Scan Overflow		Dec  3, 1998	
ISS Security Scanner Command Line Overflow		Jan  1, 1998	

* Note: ISS purchased BlackIce around May 2001, so this one wouldn't 
  really be held against them =)

: DANGEROUS DAWNING.  That should have been a wake-up call to other 
: companies as well. Jaquith advises vendors to ratchet up their internal 
: testing. Both Symantec and McAfee recently acquired consulting firms 
: that are experts in launching test attacks before the software is 
: released. "They both have the tools in-house, it's a question of putting 
: them to use," he says.

Now *this* will prove to be interesting statistics down the road. Will 
the disclosed vulnerabilities in Symantec products go up/down after the 
purchase of @stake...

More information about the ISN mailing list