[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D730CBAA-39EF-11D7-9F4B-0005025F99D2@kramse.dk>
From: hlk at kramse.dk (Henrik Lund Kramshøj)
Subject: Are the number of vulnerabilities going up? is Symantec counting wrong?
On torsdag, feb 6, 2003, at 17:04 Europe/Copenhagen, Dave Ahmad wrote:
>
> Here's an idea. We have a publicly accessible vulnerability database.
> You could try counting the vulnerabilities yourself (!). You can use
> your crayons or perhaps some automated process. Facts would answer
> your question better than sending a sensationalist message to a public
> list..
> or was that all you really wanted to do?
Dear Dave
It was NOT my intention to offend you, but this IS being put forward in
a
sensationalist way - as you yourself put it
IF this is so much a fucking sensation , why doesn't CVE/ICAT agree?
- from 1300 to 2500 is quite a difference!
I think the report is great in many ways, and very important
- maybe the reporters/journalists are just searching and focusing
on the wrong results from it ... and I would like them to report more
important things than the "vulnerability explosion"
My reason for posting is to know if "we", subscribers of the list in
particular
think the number of vulns are exploding?
- IMHO the number of publically known vulns are increasing steadily
currently at a rate of about 100 per month
Just my opinion, no intention to offend
Best regards
Henrik
PS BTW for how long do you intend to keep the database public
- it does seem that being bought by Symantec has had some bad
influence already - as in Why wasn't the Security Focus name used?
other than some http:// references to securityfocus I DONT see much
credit where credit is due - bugtraq is only mentioned by the Bugtraq ID
if you could explain this to I might regard the report as less of a
marketing stunt ... and sorry if this paragraph offend you
>
> http://online.securityfocus.com/bid
>
> David Mirza Ahmad
> Symantec
>
> 0x26005712
> 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
>
> On Thu, 6 Feb 2003, Henrik Lund Kramsh?j wrote:
>
>> Hi there
>>
>> In todays mail I read from
>> SECURITY WIRE DIGEST, VOL. 5, NO. 10, FEBRUARY 6, 2003
>> that
>> *NEW REPORT: ATTACKS DOWN, VULNERABILITIES UP
>> Attacks on Internet-connected machines were down, while the number of
>> exploitable software vulnerabilities went up--way up--during the
>> second
>> half of 2002, according to a biannual report by enterprise security
>> solutions provider Symantec. The 30-attacks-per-week average for
>> companies
>> monitored by the AV software giant represents a 6 percent drop from
>> the
>> first half of 2002. Less than 2 percent of all incidents reported
>> represented aggressive attacks, while a whopping 85 percent were more
>> along the lines of probes for holes to exploit, according to the
>> Internet
>> Security Threat Report. Along those lines, Symantec recorded more than
>> 2,500 newly identified vulnerabilities in various software products
>> during
>> all of 2002, an 81.5 percent increase over the previous year.
>> http://enterprisesecurity.symantec.com/content.cfm?articleid=1539
>>
>> what is going on here?
>> I have read this several places now, and it bugs me
>>
>> if you go read the report, its says stuff like:
>> "The total number of new, documented vulnerabilities in
>> 2002 was 81.5% higher than in 2001."
>> "Symantec documented 2,524 new vulnerabilities
>> over the past year, which amounted to an 81.5%
>> increase over 2001."
>>
>> I guess they mean that securityfocus, owned by Symantec now,
>> copied from bugtraq mail folder to their website, and thereby
>> "documented".
>>
>> but what is going on here, if I read the statistics at
>> http://icat.nist.gov/icat.cfm?function=statistics
>>
>> It says
>> Total Vulnerability Count
>> Year Vulnerability Count
>> 2003 34
>> 2002 1307
>> 2001 1506
>> 2000 990
>>
>> so 1307 vulns for 2002, down from 1506 in 2001!
>> as a rule of thumb I sometimes say the number of known vulnerabilities
>> currently grow by "about" 100 new per month.
>>
>> Can someone explain this?
>> - or does Symantec have a load of vulns they haven't disclosed yet ;-)
>>
>> I know that securityfocus is sometimes ahead of CVE, which is fine,
>> but
>> why does ICAT/CVE say 1307 vulns for 2002, while Symantec say 2500?
>>
>> Is this just to stir up some fear and sell more products (not that I
>> have anything
>> against their products, and I buy their antivirus regularly for people
>> I know)
>>
>> Best regards
>>
>> --
>> Henrik Lund Kramsh?j
>> hlk@...amse.dk|inet6.dk|sikkerhedsforum.dk|security6.net}
>> Please read email policy at http://www.kramse.dk/email
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>
Powered by blists - more mailing lists