HP says commercial software vulnerabilities down almost 20% across industry.
HP's "2011 Top CyberSecurityRisks Report" published yesterday tallies the numbers, saying there were 6,843 disclosed vulnerabilities last year, down 19.5% from the year before, when 8,502 vulnerabilities in Internet-based systems, applications and other computing tools were identified. HP says its information is culled from the Open Source Vulnerability Database (OSVDB), the HP DVLabs' Zero Day Initiative, and the HP Web Security Research Group.
Jennifer Lake, HP security product marketing manager, says that even though commercial vulnerabilities are decreasing the number of vulnerabilities representing high-security risks such as remote-code execution are going up. She also points out that HP's aggregated numbers are strictly related to commercially available software and don't reflect vulnerabilities that may be discovered in custom-code deployments.
According to HP's estimate, the number of software vulnerabilities reported annually appears to have peaked in 2006 at about 11,000 and has been dropping since. Security assessment of code seems to be improving, but there also may be another factor for the sharp decline. There may be considerable "private sharing of vulnerabilities" that occurs among security researchers and software vendors firms and that isn't ever made public, she says.
HP'sZero-Day Initiativeprogram cooperates with external security researchers who can be paid for exclusive information about unpatched vulnerabilities. HP's report says the "Top Ten" vulnerabilities disclosed through ZDI last year pertained to Adobe Shockwave,AppleQuickTime, HP Data Protector, Oracle Java, RealNetworks RealPlayer, Adobe Reader,MicrosoftInternet Explorer, Novell iPrint and HP OpenView. If the numbers for 2005-2011 are tallied, the number one spot goes to Apple QuickTime.
The HP report also addresses the topic of attack techniques and exploit kits that take advantage of vulnerabilities, saying last year saw the first time Chinese exploit kits started turning up.
Ones called Sakura Pack, Yang Pack and Siberia are said to be competing with older exploit kits such as Phoenix, Eleonore and Blackhole. "They're essentially the same thing, but these Chinese ones are using vulnerabilities from 2011," says Jason Jones, advanced security intelligence engineer at DVLabs, adding the older exploit kits don't always keep up with the latest vulnerabilities.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.
Corporate Publishing International. All rights reserved.
Provided by Syndigate.info an Albawaba.com company
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer News Middle East|
|Date:||Apr 19, 2012|
|Previous Article:||Oracle quietly plotting ambitious cloud computing plan, says analyst.|
|Next Article:||Security vendors 'must do more' for enterprises: report.|