Vulnerability count falls in 2007

Internet Security Systems released a part of its X-Force 2007 Trend Statistics Report on Tuesday, showing an overall decrease in the number of vulnerabilities reported in 2007.

The report, which the security services division of IBM plans to release piecemeal, found that researchers reported 5.4 percent fewer vulnerabilities in 2007 compared to 2006. The drop marks the first decrease in reported flaws since 2000, according to a post on ISS's X-Force blog. The X-Force found that high-severity vulnerabilities increased by 28 percent year over year.

"The drop could represent an anomaly, a statistical correction or a new trend in the amount of disclosures," Kris Lamb, a security researcher at ISS's X-Force Labs, stated in the blog post. "Researchers could simply be focusing on the sometimes more difficult, high-priority finds."

The report is the second study of vulnerability trends that concluded that the total number of flaws has fallen. In October, Microsoft also noted a drop in the number of vulnerabilities reported in the first half of 2007 as well as an overall increase in the number of high-severity flaws found by researchers.

While flaw data from the National Vulnerability Database continues to note a rise in the number of vulnerabilities found in 2007, some flaws found in previous years are occasionally counted in the current year's tally, Jeff Jones, security strategy director for Microsoft, said in an interview last year. In addition, some vulnerabilities with a single Common Vulnerability Enumeration (CVE) identifier are counted more than once by the National Vulnerability Database, according to Jones.

The ISS report also found that the majority of critical vulnerabilities (20 of 28 flaws) found in 2007 in Internet Explorer were memory corruption issues, similar to 2006.

Posted in |

0 comments: