[VIM] IBM ISS 2006 Threat Review
security curmudgeon
jericho at attrition.org
Mon Feb 26 07:20:30 EST 2007
Interesting/relevant info from the IBM/ISS 2006 Trend Statistics. Discuss,
debate or ponder as you please.
http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf
Vulnerabilities
* There were a total of 7,247 vulnerabilities in 2006, which represents a
39.5 percent increase over 2005.
* June was the busiest month of the year with 696 vulnerabilities.
* Week 46 (the week before Thanksgiving) was the busiest week of 2006 for
new vulnerabilities.
* The most popular day for vulnerability disclosures was Tuesday.
* Weekend disclosure of vulnerabilities in 2006 more than doubled that of
2005 to reach 17.6 percent of all disclosures.
* High impact vulnerabilities continue to decrease as a percentage of
total vulnerabilities in 2006.
* 3 percent of vulnerabilities under the Common Vulnerability Scoring
System (CVSS) were evaluated as being critical impact vulnerabilities with
a score of 10.
* The top three vulnerable vendors in 2006 were Microsoft, Oracle and
Apple.
* The top 10 vulnerable software vendors accounted for 14 percent of all
2006 vulnerabilities.
* 17 percent of the vulnerabilities identified within the top 10
vulnerable vendors products were un-patched at the end of 2006. This
contrasts with 65 percent un-patched for all other vulnerabilities
recorded in the year.
* 88.4 percent of all 2006 vulnerabilities could be exploited remotely.
* Over half (50.6 percent) of 2006 vulnerabilities would allow an
attacker to gain access to the host after successful exploitation.
More information about the VIM
mailing list