SCCyberworld

Thursday, March 14, 2013

SOURCEFIRE’s SHOCKING IT SECURITY FINDINGS


Sourcefire’s 25 Years of Vulnerabilities: 1988-2012 research findings discovered surprising facts
over the history of vulnerabilities:-

a) iPhone Poses Highest Mobile Phone Vulnerabilities

b) Microsoft XP and Mozilla Firefox Browser are ‘Most Vulnerable’ Platforms

KUALA LUMPUR, 13 March 2013 – Sourcefire, Inc. (Nasdaq: FIRE), a leader in intelligent cybersecurity solutions, today unveiled its latest research statistic findings on IT security vulnerabilities that span from 1988-2012 in a report released to the market, in a bid for businesses to better protect their assets.

The research was conducted based on two well-respected data sources, Common Vulnerabilities and
Exposures (CVE) and National Vulnerability Database (NVD), both of which are international vulnerability identification entities, in the evaluation of over 54,000 vulnerabilities for over the last 25 years.

Overall Trend: Vulnerabilities Statistics

The number of discovered vulnerabilities increased rapidly from 1988- 2005, reaching a 6,612 vulnerabilities found in 2006. There was a steady decline for 6 year, with the figure shooting up again in 2012 with 5,281 vulnerabilities being reported last year alone.

Summary of the Major Discoveries of the Research

Key Finding #1: iPhone has the Highest Vulnerabilities

The popular Apple’s iPhone has the most vulnerability reported at 210; while Google Android logs in at 24, Windows Mobile at 14 and BlackBerry at 11.

It’s interesting to note though, that Apple has had significant CVE growth year-over-year, yet their OS has implemented more security features in subsequent iterations. One may argue that the increase in CVEs is due to the increased popularity of the phone over the years. However, Android, the current market leader for mobile phone operating systems, has actually received fewer CVEs in 2012 than it did in 2011, even though it had explosive growth in market share that same year.

Key Finding #2: Top 10 vendors reported with highest volume of vulnerabilities

The 10 worst offenders (from top down) were Microsoft, Apple, Oracle, IBM, Sun (acquired by Oracle), Cisco, Mozilla, Linux, HP, and Adobe. These top 10 vendors accounted for 14,162 vulnerabilities or almost 27% of the total number of vulnerabilities (Source: NVD’s data).

The interesting to note is that were only ‘critical vulnerabilities’ are considered, Oracle came in as the worst offender taking the 1st spot, followed by HP and IBM. Apple and Microsoft had more vulnerabilities overall, but fewer critical vulnerabilities.

Key Finding #3: Microsoft Windows XP and the Mozilla Firefox browser stand out as the two with the largest number of high-severity vulnerabilities

For high severity vulnerabilities, from top 10 offenders (from top down) were Microsoft Window XP, Firefox, Chrome, Windows, Internet Explorer, Seamonkey, Window Vista, Window 2003 Server, Thunderbird and lastly Mac OS X. Surprisingly, Flash Player is not amongst the top 10.

A key insight here is that the most popular Internet browsers (Firefox, Chrome, Internet Explorer and Safari) which make up a total of 90% of the browser market share, are listed in this top 10 list.

Key Finding 4: “Buffer Overflow” is the TOP vulnerability

“Buffer overflows” take the top spot with 7809 reported over the last 25 years.

In 2008 and 2009, SQL injection was the top TYPE of vulnerability; and only to be displaced by XSS and buffer overflows in 2010. In 2011, buffer overflows took the top spot again, while in access control issues reigned supreme in 2012.

The rest of the other severe vulnerabilities reported in the research are including “Code Injection”, “Input Validations”, “OS Command Injection” and more.

Conclusion

Yves Younan, Senior Research Engineer of Sourcefire Vulnerability Research Team (VRT™) shared, “With 25 years of vulnerability data now available, this report takes a historical look at vulnerabilities over the years and some of the results were surprising.”

He concludes by listing the following as the key highlights worth noting:

a) Buffer overflows remain as one of the top ranking vulnerabilities year over year

b) Microsoft has significantly improved within the last couple of years and their browser and mobile operating systems are actually better than their competitors’ in terms of vulnerabilities discovered.

c) Chrome is ranked as one of the highest for vulnerabilities, while Android has very few; iPhone has a
significant lead on vulnerabilities, while Safari has the fewest compared to the other browsers.

No comments: