[VIM] IBM ISS 2006 Threat Review

security curmudgeon jericho at attrition.org
Mon Feb 26 07:20:30 EST 2007


Interesting/relevant info from the IBM/ISS 2006 Trend Statistics. Discuss, 
debate or ponder as you please.

http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf

Vulnerabilities

* There were a total of 7,247 vulnerabilities in 2006, which represents a 
39.5 percent increase over 2005.
* June was the busiest month of the year with 696 vulnerabilities.
* Week 46 (the week before Thanksgiving) was the busiest week of 2006 for 
new vulnerabilities.
* The most popular day for vulnerability disclosures was Tuesday.
* Weekend disclosure of vulnerabilities in 2006 more than doubled that of 
2005 to reach 17.6 percent of all disclosures.
* High impact vulnerabilities continue to decrease as a percentage of 
total vulnerabilities in 2006.
* 3 percent of vulnerabilities under the Common Vulnerability Scoring 
System (CVSS) were evaluated as being critical impact vulnerabilities with
a score of 10.
* The top three vulnerable vendors in 2006 were Microsoft, Oracle and 
Apple.
* The top 10 vulnerable software vendors accounted for 14 percent of all 
2006 vulnerabilities.
* 17 percent of the vulnerabilities identified within the top 10 
vulnerable vendors products were un-patched at the end of 2006. This 
contrasts with 65 percent un-patched for all other vulnerabilities 
recorded in the year.
* 88.4 percent of all 2006 vulnerabilities could be exploited remotely.
* Over half (50.6 percent) of 2006 vulnerabilities would allow an 
attacker to gain access to the host after successful exploitation.



More information about the VIM mailing list