Printer Friendly

HP says commercial software vulnerabilities down almost 20% across industry.

A study done by HP shows that reported vulnerabilities in commercial softwareapplicationsdropped dramatically last year compared with 2010 -- but that there's little reason to feel complacent since the risk factors for exploitation of these vulnerabilities is significant.

HP's "2011 Top CyberSecurityRisks Report" published yesterday tallies the numbers, saying there were 6,843 disclosed vulnerabilities last year, down 19.5% from the year before, when 8,502 vulnerabilities in Internet-based systems, applications and other computing tools were identified. HP says its information is culled from the Open Source Vulnerability Database (OSVDB), the HP DVLabs' Zero Day Initiative, and the HP Web Security Research Group.

Jennifer Lake, HP security product marketing manager, says that even though commercial vulnerabilities are decreasing the number of vulnerabilities representing high-security risks such as remote-code execution are going up. She also points out that HP's aggregated numbers are strictly related to commercially available software and don't reflect vulnerabilities that may be discovered in custom-code deployments.

According to HP's estimate, the number of software vulnerabilities reported annually appears to have peaked in 2006 at about 11,000 and has been dropping since. Security assessment of code seems to be improving, but there also may be another factor for the sharp decline. There may be considerable "private sharing of vulnerabilities" that occurs among security researchers and software vendors firms and that isn't ever made public, she says.

HP'sZero-Day Initiativeprogram cooperates with external security researchers who can be paid for exclusive information about unpatched vulnerabilities. HP's report says the "Top Ten" vulnerabilities disclosed through ZDI last year pertained to Adobe Shockwave,AppleQuickTime, HP Data Protector, Oracle Java, RealNetworks RealPlayer, Adobe Reader,MicrosoftInternet Explorer, Novell iPrint and HP OpenView. If the numbers for 2005-2011 are tallied, the number one spot goes to Apple QuickTime.

The HP report also addresses the topic of attack techniques and exploit kits that take advantage of vulnerabilities, saying last year saw the first time Chinese exploit kits started turning up.

Ones called Sakura Pack, Yang Pack and Siberia are said to be competing with older exploit kits such as Phoenix, Eleonore and Blackhole. "They're essentially the same thing, but these Chinese ones are using vulnerabilities from 2011," says Jason Jones, advanced security intelligence engineer at DVLabs, adding the older exploit kits don't always keep up with the latest vulnerabilities.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Corporate Publishing International. All rights reserved.

Provided by an company
COPYRIGHT 2012 Al Bawaba (Middle East) Ltd.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2012 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Computer News Middle East
Date:Apr 19, 2012
Previous Article:Oracle quietly plotting ambitious cloud computing plan, says analyst.
Next Article:Security vendors 'must do more' for enterprises: report.

Terms of use | Privacy policy | Copyright © 2020 Farlex, Inc. | Feedback | For webmasters