2006: the year of security flaw

5,450 vulnerabilities were discovered within 9 months - this figure was more than enough for 2006 to become the record year for the number of security flaws.

On October 9, ISS (Internet Security Systems) released a security flaw in the first 9 months of this year. With 5,450 recorded vulnerabilities, ISS experts expect a total of 7,500 security errors by the end of this year, up 41% from 2005 (5,195 vulnerabilities).

Many security companies have also raised a warning about the number of security bugs that have skyrocketed, including iDefense, eEye Digital Security and Symantec.

Developers Norton Antivirus has just released the Security Threat Internet report (reports on internet security threats) in the first 6 months of 2006. Accordingly, there were 2,249 vulnerabilities discovered, up 18% over the same period. 2005.

Picture 1 of 2006: the year of security flaw Source: computer-security-news Microsoft has released 55 patches in the first nine months of this year, while the world's No. 1 software company only released 45 patches last year.

ZERT - a group of volunteer security experts has also been involved with the release of two patches for Windows users before Microsoft can "hand out".

Gunter Ollmann, ISS's X-Force research and development team, called it a "huge jump" in the number of security holes.

The cause of this situation, according to experts, is mainly because the number of software is increasing rapidly, the source code is more complex than before. As a result, the number of errors also increases.

Another reason is . the level of programmers and 'bug hunters'. These experts are getting better and better, so they discover errors faster and more. The more advanced automatic error detection tools (called 'fuzzer' - police only slang words) also make an important contribution to 'sniffing' the vulnerability.

However, the rate of dangerous errors ('critical' ratings) tends to decrease. 28% of 2005 vulnerabilities were assessed as dangerous, while this figure in the first 9 months of this year was 17%. Security experts say the ratio will not change before moving to 2007.

Of course, this does not mean that computer users can be assured. 'Stunning' statistics on security flaws and the number of hacker attacks are enough to make any 'brave' user to be more or less worried.

Even the results of the Get Safe Online survey by the British government have shown that many fog residents are afraid of cybercrime to the point of not connecting to the internet.

'Black hat' has made important tactical changes, especially focusing on exploiting errors of applications running on users' computers. The zero-day error (which helps hackers gain control of remote 'victim' machines) has become the hacker's trump card in recent months.

That is not to mention the experts only confirmed the rate of "critical" (critical) errors, but no one dared to ensure that the danger level of those errors did not increase.

Hackers are not just taking advantage of 'advanced' errors. The 'medium' gap is also the favorite weapon of bandits in the digital world. The attacks on personal computers rely heavily on websites with malicious code, often disguised as humorous (or pornographic) content. 'The recent Vietnamese virus epidemic' and the recent 'horrible September' have been a good example of this attack method.

For companies, hackers impersonate customers and attack with files with malicious code attached. These codes will often target vulnerabilities in applications such as MS Word (text editor) or Internet Explorer (browser) and higher is the operating system vulnerability.

The current situation is worrisome but the future is somewhat . more blind. Microsoft is still very confident about the security of Windows Vista, but the event of the Black Hat conference in August last made security people very skeptical about the safety of the new operating system. At that time, Microsoft had a presentation about Vista's security features, but right in the next room, people introduced ways . hack it.

ISS also ended its statistics with Ollmann's assertion, saying that the first half of 2007 will witness another 'leap' of security flaws, especially 'fatal' errors and of course Vista is the source of those holes.

HOANG MINH