There were far more vulnerabilities in applications than in operating systems (OS) or web browsers in 2010.
According to volume ten of the Microsoft Security Intelligence Report, the total number of application vulnerabilities declined by 22.2 per cent from 2009. Speaking to SC Magazine, Chris Wysopal, CTO of Veracode, said that this decline was a positive trend and correlates with a time period when more and more software vendors were building security processes into their software development lifecycles.
He said: “According to Gartner the security testing market as represented by DAST/SAST is growing at a cumulative annual growth rate of 36.7 per cent and expected to reach 1.2 billion by 2013. It is important to note however that these are reported vulnerabilities, which may be decreasing due to less vulnerability research or less reporting of that research.
“From the data we have collected over the same period, which comes from direct analysis of our customers' software, we have seen a slight decline in at least one major category of vulnerability, SQL injection. So taking the Microsoft data and Veracode data together I would say there has been some small improvement in the number of vulnerabilities in software over the last two years but not enough to account for the 20 per cent decrease we see in reported issues. Some of this downward trend must be due to less reporting going on.”
Looking at the Microsoft report, Wysopal said that it is clear that the majority of software vulnerabilities still exist in applications as opposed to the OS or the browser.
“The OS and browsers have benefited from the early scrutiny or external parties and the corresponding improvements the vendors have been forced to implement. We are now seeing that trend play out on the application layer. There are many more applications than OS's or browsers so this clearly will be where the majority of software vulnerability risk will be into the future,” he said.
In terms of document exploits, Adobe Acrobat and Reader accounted for most document format exploits detected throughout 2010, while the number of exploits dropped by more than half after the first quarter and remained near this reduced level throughout the remainder of the year.
The report also found that Microsoft Office file format exploits accounted for between 0.5 and 2.8 per cent of the document format exploits that were detected in each quarter in 2010.
It also found that there was a sharp increase in the exploitation of Java vulnerabilities in the second quarter of 2010 that surpassed every other exploitation category that the Microsoft malware protection centre tracks, including generic HTML/scripting exploits, operating system exploits and document exploits.
Luis Corrons, technical director of PandaLabs, noted that this rise was caused by two new vulnerabilities and they were exploited a lot. “What does it mean? Just that the criminals will use any new vulnerability, especially if the vulnerable application works in a number of different platforms,” he said.
“Regarding the infection rates, I'd say the information is somehow useless, as they took it using their MSRT, which only detects a few malware families (I think it is around 200), so you cannot obtain a realistic figure on this. However, the infections found per operating system look interesting. It seems that Microsoft is improving the security in their new OS and service pack releases, which really makes sense.”
The report also found that industry vulnerability disclosure trends continued to decline moderately over the past five years, Microsoft said that this trend is probably due to better development practices and quality control throughout the industry, which result in more secure software and fewer vulnerabilities. It also said that vulnerability disclosures for Microsoft products increased slightly in 2010 but have generally remained stable over the past several periods.