2006: The 'horrific' year of security
Although it has not gone all the way, 2006 still goes into history as a record year of security holes. The only consolation: Only a small part of it is really dangerous.
Last year, experts from Internet Security Systems identified 5195 software vulnerabilities. Yet, as of last Tuesday, the number of vulnerabilities discovered this year has skyrocketed to 5450. As expected, the total number of software vulnerabilities in 2006 will not be below the 7500 milestone.
" It has only been three quarters of a year, but the number of holes has skyrocketed ," said Gunter Ollmann, director of X-Force. This rapid increase is partly because software vendors and vulnerability experts are becoming more and more proficient in locating defects. Besides, the fact that the software is becoming more complex also leads many more codes that can make mistakes.
Many errors but few major errors
Source: Forbes Security firm ISS predicts that the security vulnerabilities confirmed in 2006 will increase by 41% compared to last year, which in 2005 alone increased by 37% compared to 2004.
However, not all are bad news: although the number of leaps and bounds is so, the vulnerabilities that are judged to be serious until extremely serious are less.
Last year, these critical vulnerabilities accounted for 28.4% of the total security vulnerabilities. But by the end of last Tuesday, they had only 17% left. Experts predict this ratio will remain the same for the rest of the year.
" This is probably the most positive news. In the past few years, a serious vulnerability has been accompanied by the number of holes discovered ," Ollmann said.
Similar to ISS, security vendors such as iDefense and eEye Digital Security both identified 2006 as a "hinge" year of security vulnerabilities. Another example of this trend is the number of Microsoft security bulletins. The software giant had to issue up to 55 separate bulletins in the first 9 months of 2006, compared with a total of 45 bulletins for the whole 2005.
And yet, Symantec's Internet Security Risk Report also said it recorded 2249 new vulnerabilities in the first half of 2006, up 18% from the second half of 2005. This is a record number, Symantec said. determined. 8% of these are easily exploited and exploited by hackers.
Of course, the number of holes increased, the chances of attacking the unfortunate people were higher and the users were more headache in protecting personal information.
Just a momentary
A serious vulnerability allows the worm to spread itself, or allow hackers to gain control of the remote computer without any user intervention. Compared to last year, the number of these types of vulnerabilities has decreased by nearly 200, partly because the software is getting better and better.
" Software is now more secure ," said Ollmann. In addition, many vulnerability experts have also begun using an automated tool called "fuzzers", capable of pulling hidden holes into light.
For example, fuzzer can be used to check how an application will handle a specific file format (such as JPEG and GIF). If the application (assuming a Web browser) handles the error, it is implied that the application is harboring a vulnerability that could be exploited by a hacker.
Another notable fact is that the number of critical errors within operating systems has decreased significantly, while the number of errors in other types of software such as browsers and Office has increased.
However, Ollmann thinks this is only a temporary trend. Once a new, important software like Vista comes out, the number of critical errors will skyrocket. " I think that in the first quarter of 2007, the percentage of serious vulnerabilities will be far different from now ."
However, a serious vulnerability is not the only thing to worry about, said Ken Dunham, iDefense's quick response center director. " This year, the number of zero-day attacks has been unprecedented (hackers exploit vulnerabilities that the software issuer has not yet known, or has not yet released a patch). The average danger level has also been used in many attacks . "
Often the average vulnerability is used for two main types of attacks: Hacker launches a malicious website, trying to lure users to access it and stealthily install spyware or keyboard tracking software on the victim's computer. The second form is to directly attack small businesses, often attaching an email to a "standalone" Office document.
Trong Cam
- Network security and data security in Vietnam: When the bell rings ...
- 5 hackers make a mark for world security 2006
- The most horrific plane crashes in history
- Cisco and Microsoft will have more secure networks in next year
- 2006: the year of security flaw
- The 19-year-old created a hack system to teach people the importance of security
- 2006 - Year of zero-day attack
- Microsoft products have ... more security?
- Bank security is still loose
- Microsoft introduced a fee-based security service
- McAfee security products make mistakes ... security
- Bank security of the time of