.: News Archive :: 2003/02/07

Number of vulnerabilities increasing

The number of vulnerabilities are rising and impacts work processes in many companies

When a company receives information about a vulnerability in a product it must and should consider if this vulnerability influences the security. If the company has 100% knowledge of the network and the product in question is not being used it might easily discarded as this vulnerability information is not relevant.

If part of a large installation, or the vulnerability is not described in detail it can be necessary to use even more resources on this vulnerability.

One initiative which has been a success in handling vulnerability information is the CVE dictionary. This dictionary includes a unique identification of vulnerabilities which can then be used across a multitude of security products. In practice this means that by using the CVE identifier one can find information at the vendor for the product, at vendors for intrusion detection systems, at firewall vendors and other products such as vulnerability scanners.

One example is the vulnerability in the Microsoft SQL server used by the Sapphire worm which has the CVE identifier CAN-2002-0649, a candidate for becoming a CVE vulnerability. Typically it becomes a CVE when vendors acknowledge that it is a vulnerability. This vulnerability will probably become CVE-2002-0649 at some point.

The CVE identifier can then be used to verify that it is the same vulnerability described the following places:

• Microsoft Security Bulletin MS02-039 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
• CVE.mitre.org CVE Candidate 2002-0649 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0649
• Securityfocus Microsoft SQL Server 2000 Resolution Service Stack Overflow http://online.securityfocus.com/bid/5311
• CERT Advisory CA-2003-04 MS-SQL Server Worm http://www.cert.org/advisories/CA-2003-04.php

When the number of vulnerabilities has a direct influence on the resources needed to investigate these it is interesting to examine statistics for vulnerabilities. Symantec Internet Security has released a report titled  "Threat Report Attack Trends for Q3 and Q4 2002" which includes some numbers which are much higher than the corresponding numbers from CVE/ICAT. This is probably because CVE is more conservative and aims to avoid duplicates.
Symantec says they have documented more than 2500 new vulnerabilities in 2002, while CVE officially has counted 1307 new vulnerabilities in 2002. The reason to this discrepancy is partly that CVE remains to release vulnerabilities from last year.

There is nonetheless a rise in the number of vulnerabilities per month in general.

What can one do to make vulnerability handling more efficient?

The single most important item is to get control of the installation, this means that it should be documented which products are being used. There should also be strict procedures for putting new systems into production use, it is often an unauthorized test server which can easily compromise the network security.

There are a number of commercial vendors of alert services, which use defined criteria for selecting the relevant vulnerabilities for the customers. It is extremely important for ensure that these criteria are selected correctly, as the coverage in relation to the actual products in use otherwise would be far apart.

Links:

• http://enterprisesecurity.symantec.com/content.cfm?articleid=1539
  Threat report from Symantec
• http://lists.netsys.com/pipermail/full-disclosure/2003-February/004119.php
  Steven Christey from MITRE
• http://icat.nist.gov/icat.cfm?function=statistics
  CVE/ICAT statistics