[ISN] Computers' Insecure Security
InfoSec News
isn at c4i.org
Wed Jun 22 02:44:43 EDT 2005
Forwarded from: security curmudgeon <jericho at attrition.org>
Cc: dailydave at lists.immunitysec.com
: http://www.businessweek.com/technology/content/jun2005/tc20050617_1613_tc024.htm
: By Sarah Lacy
: June 17, 2005
:
: Software meant to protect PCs are now attack targets, revealing a rising
: number of flaws -- even more than those of Microsoft products
: A new Yankee Group report, to be released June 20, shows the number of
: vulnerabilities found in security products increasing sharply for the
: third straight year -- and for the first time surpassing those found in
: all Microsoft (MSFT ) products. The majority of these weaknesses are
Already on unstable grounds with this wording. Journalists (and security
folks) need to remember the difference between 'found' and 'reported' and
'disclosed'.
: SAME EXCUSE. Last year, researchers found 60 flaws in a variety of
: computer-security programs, almost double the 31 vulnerabilities
: discovered in 2003, according to Andrew Jaquith, a Yankee senior analyst
: who culled a national database of reported software vulnerabilities.
*Sigh*, some day I will learn to smile and nod and not feel the need to
reply to these studies. Until that time..
Cliff notes: 2004, 60 flaws in computer-security programs
2003, 31 flaws in computer-security programs
unnamed nation database of vulnerabilities
Culling a database is easy. Making a list of security products to search
for in the first place might be a real chore. Moving past that, defining a
vulnerability would be a key here, as CVE might group a few issues into
one entry, and another database like X-Force or OSVDB may split them out
into seperate entries. Last, what about products such as 'tcpdump' or
'ethereal'? Are these classified security products or administrative
tools?
Without this information, this article is basically fluff that can't be
reasonably understood or trusted without the full report. Fortunately, I
waited long enough to reply for the details to be released.
http://www.yankeegroup.com/public/products/decision_note.jsp?ID=13157
We see that they use CVE and iCat for their data, but do not address the
fact that CVE can merge seperate vulnerabilities into a single entry, nor
do they address other questions above. iCat uses the CVE database and just
adds some metrics.
Some interesting points in this research:
Yankee Group analysis of a well-known public vulnerability data source,
ICAT, suggests that flaw finders have shifted their focus toward
security products.
60 flaws in 2004, according to Yankee Group, and they say there is a shift
to security product vulnerability research? Compare that to the
total number of vulnerabilities released, and this is easily debated.
From 2004 to May 2005 in particular, 77 disclosed vulnerabilities
affected a wide array of security products. The incidents increased far
faster than the rate for Microsoft (see Exhibit 1).
This is a little misleading. First and second quarter of 2004 show
security products going down, then taking a turn and moving up for
third/fourth quarter of 2004, and heading back down for 2005. I'm not a
statician, but this doesn't seem like a *trend* to me.
Check Point and F-Secure saw a large increase in vulnerabilities in 2004
compared to the previous year, while vendors such as McAfee saw a
significant decrease.
A quick search (by vuln title) of OSVDB.org shows:
2003 2004
Check Point 1 6
F-Secure 1 10
McAfee 6 7
So two out of three on these statements, not bad! McAfee has had an
increase it seems, just not so dramatic as F-Secure or Check Point.
: Through May, 2005, 23 software glitches have been counted -- already up
: 50% over last year. And that figure doesn't include those yet to come
: this summer, when the biggest attacks are usually launched. So far this
: year, researchers have only found 22 vulnerabilities in Microsoft's
: products.
iCat shows 2005 + "microsoft" having 54 entries and OSVDB.org shows 86 so
far this year. Listing 22 vulnerabilities for Microsoft is what.. going by
Microsoft Security Bulletins? MS05-034 being the latest, and 025-034
possibly being released after the research was completed.. suggests that
might be the case. Anyone familiar with MS advisories know they can
contain multiple vulnerabilities, even by CVE designation. So is the use
of "22 vulnerabilities in Microsoft's products" creatively switching to a
different method for counting?
So far this research seems poorly done, so I hate to add fuel to the
fire.. but if you search OSVDB.org for security products (and use a good
list), you will find a lot more than mentioned in this report.
There are already 17 vulnerabilities listed in 2005 searching for
"firewall", compared to the 23 mentioned by Yankee Group. Branch out into
other security products and you are well over 23.
: Symantec (SYMC ) has had the most reported vulnerabilities, with 16
: documented last year (see BW Online, 6/17/05, "A New Frontier for
: Hackers?"). But so far this year, it has fared better: Through May, only
: two vulnerabilities were reported.
Err, 43 Symantec issues in 2004... and 10 in 2005..
: BRAGGING RIGHTS. Still, Symantec is a target because it's the market
: leader. Hackers generally want to crack programs with the largest
: installed base -- thus offering the maximum impact for their exploits.
: That's one of the rationales Microsoft has used to explain why its
: products seem to have so many reported security glitches. But Jaquith
: points out that McAfee, the second-largest security player, decreased
: its vulnerabilities over the last year. "This is a leading indicator of
: the relative quality of the two products," he argues.
2005, two McAfee reported vulns.. 2004, seven reported. That still leaves
almost six months for the numbers to be the same. Hard to predict a trend
off such limited data, especially when Yankee Group says:
And that figure doesn't include those yet to come this summer, when the
biggest attacks are usually launched.
: ISS has only had three vulnerabilities in its history, but Noonan calls
: it a wake-up call nonetheless.
Huh?! Read the damn Yankee Group report! "One firm -ISS- accounted for
four of these." Failing that, search a vulnerability database for ISS
products and that "three" figure goes out the window.
ISS RealSecure / BlackICE Rule Name Field Local [..] Apr 8, 2005
BlackICE/PC Protection Unprivileged User Local DoS Aug 14, 2004
TCP Reset Spoofing Apr 20, 2004
ISS RealSecure Network Sensor Malformed DHCP Packet DoS Apr 8, 2004
BlackICE Insecure Default Configuration Weakness Mar 31, 2004
BlackICE NIC Protection Failure Mar 31, 2004
ISS PAM Component ICQ Protocol Parsing Overflow Mar 18, 2004
ISS Multiple Products SMB Packet Handling Overflow Feb 27, 2004
RealSecure/BlackICE PAM Module SMB Packet Overflow Feb 24, 2004
BlackICE PC Protection blackd.exe Local Overflow Jan 28, 2004
BlackICE PC Protection Upgrade File Permission Weakness Jan 28, 2004
ISS RealSecure Server Sensor HTTPS Request DoS Sep 8, 2003
ISS RealSecure Server Sensor ISAPI Plug-in DoS Sep 8, 2003
BlackICE Defender XSS Detection Evasion Jun 17, 2003
ISS Security Scanner HTTP Remote Overflow Sep 18, 2002
ISS ICEcap Default Password Sep 12, 2002
BlackICE tcp.maxconnections Memory Consumption DoS Jun 19, 2002
BlackICE Agent System Standby Failure Jun 6, 2002
BlackICE / RealSecure Large ICMP Ping Packet Overflow Feb 4, 2002
ISS RealSecure Network Sensor Non-Standard [..] Sep 5, 2001
ISS RealSecure Server Sensor Non-Standard [..] Sep 5, 2001
ISS RealSecure Fragmented SYN Packet DoS Aug 22, 2000
BlackICE UDP Port Block Delay Jun 20, 2000 *
ISS Security Scanner Installer Temporary File Symlink Feb 20, 1999
ISS Security Scanner Fingerd Scan Overflow Dec 3, 1998
ISS Security Scanner Command Line Overflow Jan 1, 1998
* Note: ISS purchased BlackIce around May 2001, so this one wouldn't
really be held against them =)
: DANGEROUS DAWNING. That should have been a wake-up call to other
: companies as well. Jaquith advises vendors to ratchet up their internal
: testing. Both Symantec and McAfee recently acquired consulting firms
: that are experts in launching test attacks before the software is
: released. "They both have the tools in-house, it's a question of putting
: them to use," he says.
Now *this* will prove to be interesting statistics down the road. Will
the disclosed vulnerabilities in Symantec products go up/down after the
purchase of @stake...
More information about the ISN
mailing list