lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D730CBAA-39EF-11D7-9F4B-0005025F99D2@kramse.dk>
From: hlk at kramse.dk (Henrik Lund Kramshøj)
Subject: Are the number of vulnerabilities going up? is Symantec counting wrong?

On torsdag, feb 6, 2003, at 17:04 Europe/Copenhagen, Dave Ahmad wrote:

>
> Here's an idea.  We have a publicly accessible vulnerability database.
> You could try counting the vulnerabilities yourself (!).  You can use
> your crayons or perhaps some automated process.  Facts would answer
> your question better than sending a sensationalist message to a public 
> list..
> or was that all you really wanted to do?
Dear Dave

It was NOT my intention to offend you, but this IS being put forward in 
a
sensationalist way - as you yourself put it

IF this is so much a fucking sensation , why doesn't CVE/ICAT agree?
- from 1300 to 2500 is quite a difference!

I think the report is great in many ways, and very important
- maybe the reporters/journalists are just searching and focusing
on the wrong results from it ... and I would like them to report more
important things than the "vulnerability explosion"

My reason for posting is to know if "we", subscribers of the list in 
particular
think the number of vulns are exploding?
- IMHO the number of publically known vulns are increasing steadily
currently at a rate of about 100 per month

Just my opinion, no intention to offend

Best regards

Henrik

PS BTW for how long do you intend to keep the database public
- it does seem that being bought by Symantec has had some bad
influence already - as in Why wasn't the Security Focus name used?
other than some http:// references to securityfocus I DONT see much
credit where credit is due - bugtraq is only mentioned by the Bugtraq ID
if you could explain this to I might regard the report as less of a
marketing stunt ... and sorry if this paragraph offend you

>
> http://online.securityfocus.com/bid
>
> David Mirza Ahmad
> Symantec
>
> 0x26005712
> 8D 9A B1 33 82 3D B3 D0 40 EB  AB F0 1E 67 C6 1A 26 00 57 12
>
> On Thu, 6 Feb 2003, Henrik Lund Kramsh?j wrote:
>
>> Hi there
>>
>> In todays mail I read from
>> SECURITY WIRE DIGEST, VOL. 5, NO. 10, FEBRUARY 6, 2003
>> that
>> *NEW REPORT: ATTACKS DOWN, VULNERABILITIES UP
>> Attacks on Internet-connected machines were down, while the number of
>> exploitable software vulnerabilities went up--way up--during the 
>> second
>> half of 2002, according to a biannual report by enterprise security
>> solutions provider Symantec. The 30-attacks-per-week average for
>> companies
>> monitored by the AV software giant represents a 6 percent drop from 
>> the
>> first half of 2002. Less than 2 percent of all incidents reported
>> represented aggressive attacks, while a whopping 85 percent were more
>> along the lines of probes for holes to exploit, according to the
>> Internet
>> Security Threat Report. Along those lines, Symantec recorded more than
>> 2,500 newly identified vulnerabilities in various software products
>> during
>> all of 2002, an 81.5 percent increase over the previous year.
>> http://enterprisesecurity.symantec.com/content.cfm?articleid=1539
>>
>> what is going on here?
>> I have read this several places now, and it bugs me
>>
>> if you go read the report,  its says stuff like:
>> "The total number of new, documented vulnerabilities in
>> 2002 was 81.5% higher than in 2001."
>> "Symantec documented 2,524 new vulnerabilities
>> over the past year, which amounted to an 81.5%
>> increase over 2001."
>>
>> I guess they mean that securityfocus, owned by Symantec now,
>> copied from bugtraq mail folder to their website, and thereby
>> "documented".
>>
>> but what is going on here, if I read the statistics at
>> http://icat.nist.gov/icat.cfm?function=statistics
>>
>> It says
>> Total Vulnerability Count
>> Year Vulnerability Count
>> 2003 34
>> 2002 1307
>> 2001 1506
>> 2000 990
>>
>> so 1307 vulns for 2002, down from 1506 in 2001!
>> as a rule of thumb I sometimes say the number of known vulnerabilities
>> currently grow by "about" 100 new per month.
>>
>> Can someone explain this?
>> - or does Symantec have a load of vulns they haven't disclosed yet ;-)
>>
>> I know that securityfocus is sometimes ahead of CVE, which is fine, 
>> but
>> why does ICAT/CVE say 1307 vulns for 2002, while Symantec say 2500?
>>
>> Is this just to stir up some fear and sell more products (not that I
>> have anything
>> against their products, and I buy their antivirus regularly for people
>> I know)
>>
>> Best regards
>>
>> --
>> Henrik Lund Kramsh?j
>> hlk@...amse.dk|inet6.dk|sikkerhedsforum.dk|security6.net}
>> Please read email policy at http://www.kramse.dk/email
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.netsys.com/full-disclosure-charter.html
>>
>
>


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ