ISS: Already more vulnerabilities in 2006 than last year

Vulnerabilities tallied during the first nine months of this year have surpassed the total counted for all of 2005, according to an alert from Internet Security Systems' (ISS) X-Force Labs.

Researchers discovered the 5,196th flaw of this year just after 8 a.m. on Sept. 25 - the same number found during all of last year.

However, only 0.40 percent of the total number of flaws was determined to be "critical," meaning they could be exploited to form an automated worm.

Gunter Ollmann, X-Force director, told SCMagazine.com today that his firm is expecting yet another jump in the number of flaws discovered next year.

"It's disappointing that it's (reached last year's mark) so early. Year on year, there has been an increase, but this is now accelerating so much that we are ending up with an exponential curve of flaws," he said.

The vast majority (63 percent) of discovered vulnerabilities were deemed to be medium risk, meaning they can be used to access files or escalate user privileges. Twenty percent of this year's flaws were called "low risk," to be taken advantage of to leak information or for DoS attacks.

The remaining 17 percent of flaws were deemed "high risk" since they can be exploited to gain control of the host running the software.

The number of critical and high-risk flaws were down eight percent from 2005.

Ollmann said the decrease in the percentage of critical flaws is a bright spot in the findings.

"That is quite a change from previous years. The shift from high to medium is probably the good news in the story," he said. "Unfortunately, by the end of 2006, the number of critical vulnerabilities will probably be the same number as in 2005."

Cross-site scripting ranked as the biggest class of vulnerability, accounting for 14.5 percent of all flaws, followed by SQL injection (10.9 percent), buffer overflow flaws (10.8 percent) and web directory path reversal (three percent).

The lion's share of vulnerabilities (88 percent) can be exploited from a remote location, while nearly 11 percent can be taken advantage of by a local host. The remaining 1.6 percent can be exploited from both local and remote points.

Click here to email Frank Washkuch Jr.

Sign up to our newsletters