The number of publicly disclosed vulnerabilities in 2011 decreased, as well as the proportion of bugs that were exploited. Affects the development of a safe?
Attacking this year reached a great success, but a common attack vector – the exploitation of vulnerabilities in software – it seems on the decline.
According to preliminary data companies that collect information about the vulnerabilities, the number of publicly disclosed vulnerabilities in this year declined compared to the previous, and far fewer errors were used to launch attacks.
The company Symantec, for example, expects this year to see the fall of the total number of publicly disclosed vulnerabilities in 30%, and critical vulnerabilities – 10%. The company annually commits approximately 4500 – 5500 vulnerabilities, but in 2010 their number reached a record 6253. Least of all vulnerabilities were seen for the last 6 months of this year. The same trend followed the team for the Exploration and security X-Force, IBM.
One possible reason could be the reduction of the attention that companies like Microsoft and Adobe have focused on developing safe, which could result in a significant reduction in vulnerabilities that are easily detected. This was stated by Joshua Talbot, head of security company Symantec. ”If the attacker is aware that this platform has a remedy, and that exploit vulnerabilities in it will be difficult, he may decide to abandon their undertaking,” – explained Talbot.
In addition to this, an attacker can abandon his intentions if he knows that Windows, Linux, Mac OS, as well as many of the applications that run on these platforms were rebuilt with addition of security features that make it more difficult exploit the vulnerability. While the attackers have continued to vulnerabilities in Adobe Acrobat, Java and MS Office, security researchers directed their efforts to audit more than a niche software systems such as industrial control, automotive systems and mobile devices.
“It is difficult to say with certainty what motivates researchers and hackers,” – said Talbot. ”But there are developments that make it difficult for exploits, and who could become the motivation for hackers keep vulnerabilities and exploits to yourself, but do not report them.”
Take, for example, Adobe. Researchers are engaged in the company in 2008. Number of vulnerabilities reported to the company, declined in 2009 and peaked in 2010. This year, however, the company experienced a significant decline in vulnerabilities. The number of error messages in the Flash Player decreased by half, and Acrobat – two-thirds. This was explained Brad Arkin, senior director of security at Adobe.
“For us it is important to increase the cost of detecting an exploit, making it more expensive” – ??said Arkin. ”We are concentrating on this work.”
This trend in their data and said Microsoft. In 2011, the number of critical vulnerabilities in the company reached a minimum value for the last 6 years. In addition, the company this year released 99 bulletins, which last year released 106. In absolute terms, this means that this year was the least critical vulnerabilities since 2005.
“The fact that year after year we see reduction in the percentage of critical issues and newsletters, talks about the progress that is made of food, creating more secure software,” – wrote a blog Mike Rivi, senior director Microsoft Security Response Center, commenting on the data.
From the moment when the company has established a unit Trustworthy Computing in January 2002, she started the elimination of vulnerabilities in their products, improving the development process, and protect their operating systems and applications from the impact of exploits. Recent evidence suggests that the company has succeeded.
Although the main focus on the safety platform and application software, and strengthened by making it more resistant to exploits, researchers have gone further and began to engage in systems that lack rigorous testing. This built-in automotive systems and industrial control systems, and medical devices. As soon as more of these devices will access the Internet, hackers will find ways to attack them. This was stated by Wolfgang Kendek, CTO of vulnerability management from Qualys.
“Given the pace with which we connect more and more devices to the Internet, I think, the lack of security vulnerabilities, we will not” – he said.