A study done by HP shows that reported vulnerabilities in commercial software applications dropped dramatically last year compared with 2010 – but that there’s little reason to feel complacent since the risk factors for exploitation of these vulnerabilities is significant.
HP’s “2011 Top Cyber Security Risks Report” published yesterday tallies the numbers, saying there were 6,843 disclosed vulnerabilities last year, down 19.5% from the year before, when 8,502 vulnerabilities in Internet-based systems, applications and other computing tools were identified. HP says its information is culled from the Open Source Vulnerability Database (OSVDB), the HP DVLabs’ Zero Day Initiative, and the HP Web Security Research Group.
Jennifer Lake, HP security product marketing manager, says that even though commercial vulnerabilities are decreasing the number of vulnerabilities representing high-security risks such as remote-code execution are going up. She also points out that HP’s aggregated numbers are strictly related to commercially available software and don’t reflect vulnerabilities that may be discovered in custom-code deployments.
According to HP’s estimate, the number of software vulnerabilities reported annually appears to have peaked in 2006 at about 11,000 and has been dropping since. Security assessment of code seems to be improving, but there also may be another factor for the sharp decline. There may be considerable “private sharing of vulnerabilities” that occurs among security researchers and software vendors firms and that isn’t ever made public, she says.
HP’s Zero-Day Initiative program cooperates with external security researchers who can be paid for exclusive information about unpatched vulnerabilities. HP’s report says the “Top Ten” vulnerabilities disclosed through ZDI last year pertained to Adobe Shockwave, Apple QuickTime, HP Data Protector, Oracle Java, RealNetworks RealPlayer, Adobe Reader, Microsoft Internet Explorer, Novell iPrint and HP OpenView. If the numbers for 2005-2011 are tallied, the number one spot goes to Apple QuickTime.
The HP report also addresses the topic of attack techniques and exploit kits that take advantage of vulnerabilities, saying last year saw the first time Chinese exploit kits started turning up.
Ones called Sakura Pack, Yang Pack and Siberia are said to be competing with older exploit kits such as Phoenix, Eleonore and Blackhole. “They’re essentially the same thing, but these Chinese ones are using vulnerabilities from 2011,” says Jason Jones, advanced security intelligence engineer at DVLabs, adding the older exploit kits don’t always keep up with the latest vulnerabilities.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.