Trend of security vulnerabilities outstanding in 2006

According to statistics, SecurityFocus collected from four major security databases, the vulnerabilities that appeared in the Web application of 2006 increased by more than 1/3 compared to the previous year.

On Monday, Computer Emergency Response Team (CERT) Coordination Center - Center for Quick Response to Emergency Situations Center published the final statistics on the amount of vulnerabilities identified in 2006. Based on source Public data and private data sent directly to the CERT Coordination Center, this group identified as many as 8064 security holes were discovered last year, an increase of 35% compared to 2005.

Three major security databases: National Vulnerability Database, Open-Source Vulerability Database and Symantec Vulnerability Database noted that the expanded scope of vulnerabilities in 2006 increased from 20 to 35% compared to 2005.

The biggest factor that makes the gap more and more popular now is that it is becoming easier to detect errors in commercial Web applications and the community, the CERT Coordination Center's Art Manion said. .

" The best we can think of is that most of the significant increase in security vulnerabilities is due to the 'easy to discover' capability. They are easy to find, easy to create and easy to deploy ."

"Many people who are doing 'grep and gripe' research. They do regular quick searches to find some patterns or models. If they come across the right one, they will publish it publicly. sometimes, the outcome of this process is false reports. "
( Steven Christey , editor of the Common Vulnerabilities and Exposures Project, ie the CVE project, specializes in exploiting and discovering common vulnerabilities ).

The increase in the number of vulnerabilities in 2006 did not surprise many security researchers. This number jumps sharply compared to 2005. According to statistics from the four database sources, the reason is mainly due to easy-to-find errors in Web applications. According to Symantec, which owns SecurityFocus, in the first half of 2006, more than a quarter of software vulnerabilities affect online applications. A October report by Common Vulnerability and Exposures (CVE) Project found that the top three types of vulnerabilities were in Web programs and in the first 9 months of the year 45% of the vulnerabilities were discovered.

The process of searching simply through source code or using Google code search (Google code search) can filter out a large number of potential security issues, even allowing new learners to search Errors can also reveal security holes. Those who maintain the database are flooded with announcements to find vulnerabilities of those "will be" security researchers. They use simple concatenation to find potential problems in open source applications, Steven Christey - editor of CVE Project, said by MITRE Cort, a non-profit government organization.

" Many people are doing 'grep and gripe' research ." It is a flexible search program grep, a popular part of "Unix-like" systems. "They conduct a quick search to find out what type of model or model it is. If they come across a match, they will publish it publicly. But sometimes, the outcome of this process is false. ".

When apprentices focus on Web applications, older researchers start focusing on other parts of the operating system or popular applications. Tool (function or tool), also known as "fuzzer" is an increasingly popular way to test software to see if there is any problem with input data. Search engines are very effective and many researchers have to use them frequently as a mistake detection strategy, although they are controversial.

" You have some outstanding levels of complexity for flawed researchers ," Christey said. " You have many people who can find small errors. But with big and important software, it seems much more difficult for leading researchers to find the real problem. They have to work. more, take more time, use more resources and do more integrated research ".

The number of erroneous errors reported on Web applications is increasing

Finding errors in applications makes it easy to increase the number of errors quickly in 2006, 20 to 50% more than the previous year .

 

2006

2005

2004

2003

2002

2001

CERT / CC

8,064

5,990

3,780

3,784

4,129

2,437

NVD

6,604

4,877

2,367

1,281

1,959

1,672

OSVDB

8,500 + *

7,187

4,629

2,632

2,184

1,656

Symantec

4,883

3,766

2,691

2,676

2,604

1,472

* OSDB estimates from the data implementation process that by now the number of vulnerabilities in 2006 has increased by at least 20% compared to 2005 .
Source : Computer Emergency Response Team Coordination Center (CERT / CC), National Vulnerability Database, Open-Source Vulerability Database and Symantec Vulerability Database .

Picture 1 of Trend of security vulnerabilities outstanding in 2006 But the huge number of 2006 does not mean that the Internet is a less secure place for computer users.

Many faulty Web applications are found to be community projects, seldom used by large companies, Brian Martin, who manages the Open-Source Vulnerability Database content.

" Personal websites and software-based 'mom-and-pop' stores will certainly be affected, but larger companies don't ."

The popular PHP dynamic programming language application program is defined to account for 43% of the total vulnerabilities of 2006. This language is mainly used for community software and small websites, but some reputable giants like Yahoo !, Google also use PHP.
While vulnerabilities in Web applications account for a large number of vulnerabilities, operating system vulnerabilities are modest, and client-side applications (for clients) also create a bigger boost.

" From the point of view of a core operating system, we are more secure. But the fact is that malicious code has not disappeared, " said Oliver Friedrichs, Symantec's director of security response. " Malware is always on your system. It just doesn't use core software vulnerabilities to exploit. "

Although they only create a small part of the total number of vulnerabilities, previously unknown vulnerabilities (such as zero-day) become the target of attractive attacks and trends. big in 2006.

" The real threat from zero-day vulnerabilities is that they are used frequently for the purpose of targeting companies and businesses to steal information, while a simple web flaw on the Internet cannot cause much impact. dynamic so important, "Friedrichs pointed out.