[VIM] IBM ISS 2006 Threat Review

Steven M. Christey coley at linus.mitre.org
Tue Feb 27 03:17:04 EST 2007 

Ooooh, an opportunity to procrastinate and pontificate!  I'll byte.


On Mon, 26 Feb 2007, security curmudgeon wrote:

> Interesting/relevant info from the IBM/ISS 2006 Trend Statistics. Discuss,
> debate or ponder as you please.
>

DISCLAIMER: PONDERING ONLY.  I'm using rough stats only.

> * There were a total of 7,247 vulnerabilities in 2006, which represents a
> 39.5 percent increase over 2005.

I just realized another bias: we get better every year at tracking vulns -
there are more sources, and we get faster at cataloging obvious stuff.
CVE has been pretty open about this change, but I bet it happens to all
VDB's.  Thus growth is (perhaps) slightly less than our stats would show,
assuming we're not getting worse at tracking things.

> * June was the busiest month of the year with 696 vulnerabilities.

In CVE too, at 688 so far.  Feb was slowest at 492, but normalizing by
number of days in each month, July was slowest (505, making for 16.3 per
day).

> * The most popular day for vulnerability disclosures was Tuesday.

Confirmed in CVE data, mentioned previously, by a few hundred - 21%,
compared with 14% if there was an even distribution.

Week before Thanksgiving was number 3 - but only 2 less than the week
starting Oct 15, the lead - and these minor discrepancies are
insignificant.  Plus we're slightly less complete in Nov/Dec than earlier
months.  Top 10 weeks ranged from 159 to 182 CVE's.  Week starting Jan 22
was slowest at 73.  I remember a few years ago when that would be an
insane month...

> * Weekend disclosure of vulnerabilities in 2006 more than doubled that of
> 2005 to reach 17.6 percent of all disclosures.

17 percent for CVE's too; around 10% in 2005.  Interesting!

> * High impact vulnerabilities continue to decrease as a percentage of
> total vulnerabilities in 2006.

Don't measure this.

> * 3 percent of vulnerabilities under the Common Vulnerability Scoring
> System (CVSS) were evaluated as being critical impact vulnerabilities with
> a score of 10.

Could look at NVD and figure this out but that's not part of my
procrastination plan.

> * The top 10 vulnerable software vendors accounted for 14 percent of all
> 2006 vulnerabilities.

Well, they're mostly OS++ vendors right?  They have a bigger vulnerability
surface than anyone, bigger than a bulletin board written in PHP with
register_globals, allow_fopen_url, and magic_quotes_gpc at their weakest
settings.

> * 17 percent of the vulnerabilities identified within the top 10
> vulnerable vendors products were un-patched at the end of 2006. This
> contrasts with 65 percent un-patched for all other vulnerabilities
> recorded in the year.

CVE has held steady for years at ~45-50% vendor acknowledgement, which
usually correlates to patches but not always; and we have more stringent
rules for ack than others.  Estimate 40% for 2006.  Can't really compare
ISS' stat with ours though.

> * 88.4 percent of all 2006 vulnerabilities could be exploited remotely.

At least 80% for CVE, maybe more; this field isn't always filled out, and
we have "unknown" and "other" categories.


- Steve

More information about the VIM mailing list