CSO | Half of 2006 vulnerabilities still unpatched

Thursday | 4 December, 2008

Half of 2006 vulnerabilities still unpatched

Apple security holes set to outnumber Microsoft

Darren Pauli (Computerworld) 12/02/2008 16:59:19

Page:

1
2
next >

More than 3600 vulnerabilities discovered last year remain unpatched, according to a study.

The IBM Internet Security Systems (ISS) X-Force report for 2007 found of the 6437 vulnerabilities discovered, 20 percent of those targeting Microsoft, Apple, Oracle, IBM and Cisco were still in the wild up to 12 months later.

More than 50 percent of remaining 6200 flaws targeting other solutions remain currently unpatched.

IBM Internet Security Systems worldwide director of intelligence Peter Allor said Apple recorded almost as many vulnerabilities as Microsoft.

"Microsoft had more vulnerabilities than Apple, but not as many operating system flaws," Allor said.

"Users should make sure they are not lulled into a false sense of security because Apple is a big target."

If they take everything, I've still got a mattress and a Smith and Wesson

Peter Allor, intelligence director at IBM ISS

He said vulnerabilities affecting open source platforms are quickly found and corrected through community code development.

"Vulnerabilities affecting OpenBSD are fixed withing 24 hours because (founder) Theo doesn't waste any time, but it is up to the community to test it for bugs."

According to Allor, the testing phase delays patch deployment from 24 hours up to 6 months, as software developers perform lengthy code audits and cross-check updates to eliminate anomalies which could trigger an on-mass blue-screen-of-death.

The severity of vulnerabilities, base on the X-Force scorecard, rose 28 percent from 2006 despite an overall decrease of 5.4 percent.

Up to 90 percent of vulnerabilities can be executed remotely, according to the research, up 2 percent on 2006 figures.

The report claimed 5 to 11 percent of online devices, or between 32 million and 71 million, are botnet nodes. Storm holds the biggest army of 230,000 zombie machines, Rbot took second place with 40,000 nodes, followed by Bobax with 24,000.

Alloy said users can buy licenses from black-hat hackers to access a botnet, or can purchase a do-it-yourself phishing toolkit for about $1000.

The number of spam e-mails has fallen to pre-2005 levels, according to the study, which is the largest decline on record.

Malware rose by more than a third on 2006 levels to 410,000 thanks largely to Trojans which represented 26 percent of the total, in more than 109,000 varieties.

Page: