A banner year for security bugs

It isn't over yet, but 2006 is already a record year when it comes to security vulnerabilities.

There is, however, a silver lining: A smaller chunk of the flaws are high risk.

Last year, researchers at Internet Security Systems identified 5,195 vulnerabilities in software. On Monday, the count for this year stood at 5,450, according to the Atlanta-based company's survey, and the projected total for the whole of the year is almost 7,500 bugs.

"Three-quarters through the year, 2006 is looking to be a huge jump in terms of security vulnerabilities," said Gunter Ollmann, director of X-Force, the research and development group at ISS.

The number of problems found has increased as bug hunters and software makers have become more skilled at finding them and as access to automated audit tools has improved, Ollmann said. Also, there is more code to comb for security holes, because people use more complex software than ever.

Atlanta-based ISS, which is being acquired by IBM, predicts there will be a 41 percent increase in confirmed security faults in software compared with 2005. That year, in its own turn, saw a 37 percent rise over 2004.

But there is some good news as well: While there will be an overall jump in the number of security vulnerabilities, it will be accompanied by a fall in the percentage of bugs rated "critical" or high-risk, Ollmann said.

According to Ollmann, severe flaws like these accounted for 28.4 percent of all security holes last year. By comparison, they make up only 17 percent of the flaws identified this year up to Monday, and that percentage is expected to be the same for the full year.

"This is probably the most positive part of the vulnerability trend," Ollmann said. "In previous years, there was an upward trend in the number of critical and high-risk vulnerabilities."

ISS's description of a rise in flaws is backed up by other security companies. VeriSign's iDefense and eEye Digital Security also said they have seen an increase in vulnerabilities this year. Another indication of an increase comes from Microsoft's security bulletins. The software maker issued 55 in the first three quarters of this year, compared with 45 in all of 2005.

In addition, Symantec's Internet Security Threat Report says 2,249 new vulnerabilities were documented in the first six months of 2006, up 18 percent over the second half of 2005. That's the highest number ever recorded for a six-month period, the security company said. Eighty percent of newly disclosed issues were considered easily exploitable, and the window of exposure for enterprise flaws was 28 days.

More security vulnerabilities mean more opportunities for cybercrooks and more headaches for people creating and applying security patches, experts said.

"You have to protect against every single one of those vulnerabilities, while an attacker needs to find only one to stage an attack," Ollmann said. "The more vulnerabilities that are disclosed, the more at risk you are."

Warming up to fuzzers
Critical and high-risk vulnerabilities are those that could let a network worm spread by itself, or could allow an anonymous attacker to remotely gain control over a computer without the user taking any action. As well as a percentage drop, ISS projects a fall in the absolute number of these types of bug in 2006, which anticipate 1,265 compared with 1,475 last year.

The drop in the most serious flaws can be attributed, in part, to better-built software. "Software is becoming more secure," Ollmann said. Also, many bug hunters have started using automated tools called 'fuzzers,' which often turn up flaws that end up being rated medium-risk," he said.

For example, a fuzzing tool could be used to test how a specific application handles a certain file format, such as the JPEG and GIF image formats. If that application--say, a Web browser--returns an error, the error could point to a vulnerability that could be used as the basis for an attack. To exploit this flaw, however, the attacker will often have to trick the victim into opening a malformed file.

Fewer of the most-serious flaws are being discovered in operating systems, said Steve Manzuik, an eEye representative. However, there are more being uncovered in other kinds of software.

"We have seen an increase in critical client-side flaws such as ones in Internet Explorer, QuickTime, and Office applications," he said.

The overall dip in severe flaws may be short-lived, Ollmann said. When a major new software product ships, the count of critical bugs typically spikes, he noted. In January, Microsoft's new Windows Vista, the operating system successor to XP, is slated to be broadly available. Microsoft has tagged Vista as the "most secure version of Windows ever."

"I think that certainly in the first half of 2007, we will see an increase in percentage terms of high-risk and critical vulnerabilities," Ollmann said. "That will most likely be associated with the release of Vista."

It isn't just the most serious flaws that people need to worry about, noted Ken Dunham, director of the rapid response team at iDefense. "This year has been unprecedented in terms of zero-day attacks," he said. "There is a much larger number of medium-level vulnerabilities today, and many of those are being used in attacks."

Zero-day attacks use previously unknown flaws that have yet to be fixed. Many of them take advantage of the type of security hole that can be found using a fuzzer.

Such mid-level vulnerabilities are being used in two main types of attacks. Consumers are targeted via malicious Web sites that try to silently install spyware or other nefarious software such as keystroke loggers and bots, Dunham said. Businesses are being targeted directly, with small-scale attacks that use rigged Word documents, for example, he said.

"Consumers can count on Web-based attacks, while the scary part for organizations is that they are being targeted specifically by certain attackers," Dunham said.