| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <F42D3342-39E2-11D7-9660-000393958954@kramse.dk> From: hlk at kramse.dk (Henrik Lund Kramshøj) Subject: Are the number of vulnerabilities going up? is Symantec counting wrong? Hi there In todays mail I read from SECURITY WIRE DIGEST, VOL. 5, NO. 10, FEBRUARY 6, 2003 that *NEW REPORT: ATTACKS DOWN, VULNERABILITIES UP Attacks on Internet-connected machines were down, while the number of exploitable software vulnerabilities went up--way up--during the second half of 2002, according to a biannual report by enterprise security solutions provider Symantec. The 30-attacks-per-week average for companies monitored by the AV software giant represents a 6 percent drop from the first half of 2002. Less than 2 percent of all incidents reported represented aggressive attacks, while a whopping 85 percent were more along the lines of probes for holes to exploit, according to the Internet Security Threat Report. Along those lines, Symantec recorded more than 2,500 newly identified vulnerabilities in various software products during all of 2002, an 81.5 percent increase over the previous year. http://enterprisesecurity.symantec.com/content.cfm?articleid=1539 what is going on here? I have read this several places now, and it bugs me if you go read the report, its says stuff like: "The total number of new, documented vulnerabilities in 2002 was 81.5% higher than in 2001." "Symantec documented 2,524 new vulnerabilities over the past year, which amounted to an 81.5% increase over 2001." I guess they mean that securityfocus, owned by Symantec now, copied from bugtraq mail folder to their website, and thereby "documented". but what is going on here, if I read the statistics at http://icat.nist.gov/icat.cfm?function=statistics It says Total Vulnerability Count Year Vulnerability Count 2003 34 2002 1307 2001 1506 2000 990 so 1307 vulns for 2002, down from 1506 in 2001! as a rule of thumb I sometimes say the number of known vulnerabilities currently grow by "about" 100 new per month. Can someone explain this? - or does Symantec have a load of vulns they haven't disclosed yet ;-) I know that securityfocus is sometimes ahead of CVE, which is fine, but why does ICAT/CVE say 1307 vulns for 2002, while Symantec say 2500? Is this just to stir up some fear and sell more products (not that I have anything against their products, and I buy their antivirus regularly for people I know) Best regards -- Henrik Lund Kramsh?j hlk@...amse.dk|inet6.dk|sikkerhedsforum.dk|security6.net} Please read email policy at http://www.kramse.dk/email
Powered by blists - more mailing lists