Huge Vulnerabilities Escape Public Disclosure

According to a warning by IBM's Internet Security Systems Division, the number of security vulnerabilities declared publicly is drastically different from the number of vulnerabilities actually found but not publicly declared. Zdnet published this in news on June 1, 2007.

The number of flaws reported up till now in 2007 has jumped 5 percent against the 40:60 ratio in 2006, researchers say.

Gunter Ollmann, director of security strategy at IBM's security subsidiary ISS, commented that while in 2006 the number of publicly disclosed flaws were 7,247 and in 2007 so far more than 2,500 have been detected, many more may go unnoticed. There could be as many as 139,362 new security flaws discovered in code per annum.

Ollmann said that about 125,000 flaws per annum fail to come in light due to their discovery by penetration testers who work on a contract basis with the organizations. These organizations eventually declare ownership of the flaws while getting busy in repairing them. Ollmann, on the basis of his experience said that flaws found under contracts were the catchall for undeclared vulnerabilities in terms of volume. Itpro published this as news on May 31, 2007.

If a consultant considered a typically less secure non-financial web application then he could detect more than 40 new vulnerabilities in one day, Ollmann said. This would happen as many web pages with submission forms tend to suffer the same kinds of programming vulnerabilities. Itpro published the view of Ollmann on May 31, 2007.

Ollmann said in certain large engagements that he worked on, a group of four people was able to discover 600 vulnerabilities in just one commercial program. Here it may be mentioned that these teams worked for five days. According to researchers there has been a 5% leap in 2007 bugs so far vs. the 40:60 percent increase in 2006.

Ollmann further added that organizations might have bought zero-day vulnerabilities from security researchers. They then released them to their customers under non-disclosure agreements. Hackers and other organizations also treacherously use zero-day flaws to develop malicious software, said Ollmann. Zdnet published this as news on June 1, 2007.

Related article: Hack.Huigezi Virus Attacks China PCs Rapidly

» SPAMfighter News - 6/16/2007