Fewer vulnerabilities discovered in 2007 says report
For the first time in seven years, the number of reported software vulnerabilities dropped in 2007, according to the latest IBM ISS X-Force annual report. However, there is disagreement even within X-Force about why the number has dropped. The Sidney Morning Herald quotes Chris Rouland, CTO of ISS, stating that the number was lower in 2007 because there is a black market for vulnerabilities, where security specialists can sell their discoveries to criminal gangs. He says there is no public information about this market, where information can be worth as much as $100,000.
But Gunter Ollmann, Director of Security Strategy at ISS, sees things differently at the X-Force blog. He writes that software vendors are providing better quality assurance, which reduces the number of vulnerabilities in newly released products. He estimates that vendors often have hundreds of independent security specialists look for vulnerabilities so they can be remedied before the software is released. Often, information about such holes is never published, he suggests.
Ollmann says that demand for quality information about vulnerabilities is growing. Whereas it used to be enough merely to report that certain data would cause an application to crash and possibly allow code to be injected and executed, he says that this scant information no longer suffices because fuzzing and other automated tools find weak spots all the time. Nowadays, security specialists expect more detailed descriptions, if not a proof-of-concept exploit, so they can classify a flaw as a vulnerability. According to Ollmann, some hackers are simply too lazy to do all that work. In such cases, no information gets published at all.
While the total number of vulnerabilities fell by 5.4 per cent to 6437, the number of critical vulnerabilities actually rose by 28 per cent above the 2006 level. According to X-Force, most of the information about vulnerabilities was published on Tuesdays in 2007. The report does not, however, say whether Microsoft's Patch Tuesday is a significant contributor to this. Only around 14 per cent of all of vulnerabilities were found in software from major vendors: Microsoft, Apple, Oracle, IBM and Cisco.
IBM has published the entire report as a download from its servers (PDF file): X-Force 2007 Trend Statistics