Vulnerabilities and flaws are a part of everyday security it seems, especially with the same software constantly affected by zero-days.
Is this a historical problem, and when did the issues begin? I recently met with Sourcefire, whose senior research engineer Yves Younan had compiled a report on '25 years of vulnerabilities' using information from the Common Vulnerabilities and Exposures (CVE) database and National Vulnerability database.
Younan said that assessment of 54,000 vulnerabilities allowed him to see an overall trend, particularly that there was a high severity level in 2006 with 6,612 reported, while the number of vulnerabilities with a ‘high severity rating' was a year later, with 3,159 reported in 2007. Since then the number has slowly declined, with 1,760 reported in 2012.
However last year saw the largest number of vulnerabilities with the highest CVSS score of ten reported.
I asked Younan what the typical vulnerability was, and he told me it was mostly buffer overflows, which had 7,809 reports over the 25-year span of the research, while widely reported application flaws such as SQL injection and cross-site scripting (XSS) "are not that severe".
The research found that the most reported vendor flaws was Microsoft with 2,934 (1,696 high severity), while the most reported product was the Linux kernel. Younan said that this was likely down to it being a ‘coded open project'. I asked him if he felt that this was also down to Linux being used by more tech-savvy users who would find and report such flaws, he agreed.
For overall severity, Windows XP takes the top spot with 453 reports, while Firefox was the highest for critical severity reports with 174.
I asked Younan why he felt there was such a rise in 2007 and a steady decline since. He said: “There is a relatively small drop in severity until 2010. I am surprised at how many total vulnerabilities Linux had, but they were all relatively not severe.”
The report covers the 25 years from 1988 to 2012, and Younan told me that he selected this time period for the round number, although CVE did not begin compiling reports until 1999 so there was not much research data until then and most of what was there was added later.
The report makes for interesting reading and shows that while news about flaws and vulnerabilities is well covered, perhaps we are in a better state than we realise.