Sourcefire Corporate Blog

05 Mar 2013

Sourcefire VRT Unveils Research on 25 Years of Vulnerabilities: 1988-2012

posted by Staff Contributor

As we have previously posted, few take a greater interest in vulnerabilities than our Vulnerability Research Team (VRT).  Today we unveil their research on trends in the last 25 years of vulnerabilities.  Please see the post below, reposted from the VRT blog, providing an overview of the findings and a link to download the research

We here at the VRT are all about backing up opinions with facts, and there are a lot of opinions about the nature of the vulnerability landscape out there. That in mind, we decided recently to study the numbers, and put conventional wisdom to the test.

At a high level, the numbers show that while vendors are putting increasing amounts of effort into security, critical vulnerabilities such as the recent Java, PDF, and Internet Explorer 0-days are on the upswing again of late. Combined with the clear upward trend in the amount of malware being dropped via these vulnerabilities - the Sourcefire VRT now sees an average of over 200,000 unique new malware samples per day - it is clear that users need to be vigilant as ever dealing with the modern threat landscape.

Here are some further highlights from the report:

  • Total vulnerabilities and highly critical vulnerabilities were up in 2012 after a significant downswing over the previous few years; 2012 was a record-breaking year for the number of most critical vulnerabilities, those with a CVSS score of 10.

  • Buffer overflows continue to be the most important type of vulnerability, with 35% of the total share of critical vulnerabilities over the last 25 years.

  • For the first time since 1998, Microsoft did not lead vendors in terms of vulnerabilities reported in 2012; that dubious distinction went to Oracle, whose 2010 acquisition of Sun's Java programming language, a favorite of attackers, contributed to that trend.

  • Firefox had more critical vulnerabilities than Internet Explorer over the time period studied, casting doubt on the conventional wisdom that IE is the least secure browser.

  • Microsoft released 13% of their patches after the CVE was published, meaning that vulnerability information was publicly available and potentially exploited before a patch was released (0-day).

You can download the full report here. We hope you enjoy our quick dive into the world of vulnerability statistics; if there's any statistics you'd like us to look into in a follow-up post, let us know in the comments. 


sourcefire vrt vrt

comments powered by Disqus