This post is part of a multi-part Q3 2006 Vulnerability Report. Here are links to all of the sections, in case you want to read the others:
- 2006 January through September Vulnerability Trends (you are here)
- Windows vs Linux Workstation Comparison
- Windows vs Linux Server Comparison (TBD real soon now)
In my studies of vulnerabilities, I have compiled a large database of information covering vulnerabilities identified at http://cve.mitre.org and http://nvd.nist.gov that includes, among other things, sources concerning dates of public disclosure and references to the disclosures. With this database, it is possible to examine vulnerability trends over time and look for interesting events through the first 9 months of 2006.
Figure 1: Annual disclosed vulnerabilities
Figure 1 charts all disclosed vulnerabilities from 2001 through September 2006, showing the upward trend in disclosures, as well as the high growth rate in the past few years. Note that the vulnerabilities disclosed in 2006 have already surpassed 2005, though three months remain in the year. Looking at growth a different way, Figure 2 charts the disclosures for the first 9 months of each year since 2001, which clearly demonstrates the steady growth of vulnerabilities disclosed during 2006, as compared with previous years.
Figure 2: Annual disclosure through September 30
Utilizing NVD severity ratings, Figure 3 charts the severity breakdown of vulnerabilities by High, Medium and Low severity. The chart shows that the percentage of High severity vulnerabilities so far this year is trends down slightly over the past few years.
Figure 3: Vulnerabilities by severity (percentage)
One might take this as good news, but Figure 4 shows a different perspective. Similar to the comparison in the previous section, the chart compares the first 9 months of each year since 2001, but this time with counts broken out by severity. So, while High severity vulnerabilities as a percentage of the total may be trending slightly down, the overall number of High severity vulnerabilities is actually trending steadily upward. Medium severity issues are being disclosed at an even faster rate, which is artificially obscuring the High severity growth in Figure 3.
Figure 4: January through September vulnerabilities by severity
Complexity to Exploit
The National Institute of Standards provides an assessment of how complex a potential exploit would have to be in order to attack any given vulnerability in their database. Mapping that information against the disclosed vulnerabilities, Figure 5 charts the complexity to exploit of all disclosed vulnerabilities.
Figure 5: Complexity of exploit
If there is one bright spot in the trend data, it is that a much higher number of vulnerabilities being disclosed are more complex to exploit. My thought is that this trend reflects the maturation of the security testing/security researcher industry in terms of skills and tools, such as fuzzers and other rigorous testing tools.
Look a bit deeper at the data, I also wanted to look at platform OS trends and see if there was anything interesting going on. After trying to get some solid data on Linux distributions, I found it was not feasible using the descriptions on Mitre CVE and in the NVD database, since many vulnerabilities identify only a components (e.g. ethereal), but not Linux distributions to which it belongs. However, it is possible to generate a set of vulnerabilities affecting the Linux kernel alone, so I used that. I also grouped together Solaris, HP-UX, Aix, along with various BSD and Unix variants into a Unix category. I combined all vulnerabilities affecting any persuasion of Microsoft Windows into a Windows(all) category and finally combined all Mac OS vulnerabilities (client and server) into a category. For each category, if a vulnerability affected multiple products or client and server, it was counted only one time for the whole category.
First, Figure 6 illustrates the combination of Platform vulnerabilities as a percentage of all disclosed vulnerabilities. The chart shows that since 2003, platform vulnerabilities have shown a downward trend, contributing a smaller and smaller percentage of overall vulnerabilities to those disclosed. This supports an observation that more research, testing and disclosure is being done in the application space, as opposed to against platforms.
Figure 6: Platform vulnerabilities as a percentage of total
Digging in a bit deeper, Figures 7a and 7b illustrate the breakdown of vulnerabilities disclosed by platform categories. The charts show that both Windows and Unix have a trend of contributing fewer vulnerabilities to the overall total, while Mac OS and the Linux kernel are trending upward and contributing more of the overall platform vulnerabilities (note: recall that the 2006 numbers only represent 9 months of data).
Figures 7a and 7b: Platform vulnerabilities by percentage and by count thru September
Note that the January through September data shows that platform vulnerabilities are slightly down in total over last year, again supporting the observation that more focus is being placed upon application testing. My final observation is that the Linux kernel by itself seems to have a relatively high number of vulnerability disclosures relative to the other platform categories which include components beyond just a kernel.
Summary of Observations
Disclosure of new vulnerabilities continue their steady growth over the previous 3 years, with all categories of severity increasing over previous years. However, it seems that researchers are finding many more “complex to attack” vulnerabilities than previously, so that the growth of Medium severity issues is much higher, creating a situation where High severity vulnerabilites appear to be decreasing, but only as a percentage of total disclosures.
In terms of targets, applications are contributing a higher percentage of vulnerabilities relative to platforms than in the past, continuing a 3 year trend.
Within the platform space, both Mac OS and the Linux kernel are experiencing a general multi-year trend of higher numbers of vulnerability disclosures, while both Windows and Unix systems have generally trended downward during that time period. However, in the most recent year, Windows and the Linux kernel contributed relatively less than last year, while Mac OS and Unix contributed relatively more.