Monday, September 25, 2006

Symantec Internet Security Threat Report Volume X

Symantec has posted (for free, no registration!) the latest Internet Security Threat Report. I'm very pleased to see that such a high-profile report uses threat and vulnerability terms properly, and features details on the methodology used to produce the report. Here's some of the Executive Summary.

In contrast to previously observed widespread, network-based attacks, attackers today tend to be more focused, often targeting client-side applications... The current threat landscape is populated by lower profile, more targeted attacks, attacks that propagate at a slower rate in order to avoid detection and thereby increase the likelihood of successful compromise.

Instead of exploiting vulnerabilities in servers, as traditional attacks often did, these threats tend to exploit vulnerabilities in client-side applications that require a degree of user interaction, such as word processing and spreadsheet programs.

A number of these have been zero-day vulnerabilities. These types of threats also attempt to escape detection in order to remain on host systems for longer periods so that they can steal information or provide remote access.


Do you see how important it is to differentiate between threats and vulnerabilities when the terms are used in the same sentence? Bravo Symantec.

This volume of the Internet Security Threat Report will offer an analysis and discussion of threat activity that took place between January 1 and June 30, 2006. This brief summary will offer a synopsis of the data and trends discussed in the main report. Symantec will continue to monitor and assess threat activity in order to best prepare consumers and enterprises for the complex Internet security issues to come.

How does Symantec "monitor and assess threat activity"? By watching, of course.

The Symantec™ Global Intelligence Network comprehensively tracks attack activity across the entire Internet. The Global Intelligence Network, which includes the Symantec DeepSight™ Threat Management System and Symantec™ Managed Security Services, consists of over 40,000 sensors monitoring network activity in over 180 countries. As well, Symantec gathers malicious code data along with spyware and adware reports from over 120 million client, server, and gateway systems that have deployed Symantec’s antivirus products.

They're not using counts of vulnerabilities announced on mailing lists. They're watching exploitation of their customer base.

Their Vulnerability Trend Highlights are fascinating:

  • Symantec documented 2,249 new vulnerabilities, up 18% over the second half of
    2005. This is the highest number ever recorded for a six-month period.

  • Web application vulnerabilities made up 69% of all vulnerabilities this period.

  • Mozilla browsers had the most vulnerabilities, 47, compared to 38 in Microsoft Internet Explorer.

  • In the first six months of 2006, 80% of vulnerabilities were considered easily exploitable, up from 79%.

  • Seventy-eight percent of easily exploitable vulnerabilities affected Web applications.

  • The window of exposure for enterprise vulnerabilities was 28 days.

  • Internet Explorer had an average window of exposure of nine days, the largest of any Web browser. Apple Safari averaged five days, followed by Opera with two days and Mozilla with one day.

  • In the first half of 2006, Sun operating systems had the highest average patch development time, with 89 days, followed by Hewlett Packard with 53 days, Apple with 37 days and Microsoft and Red Hat with 13 days.


I think it's interesting that Mozilla had more vulnerabilities, but a far smaller vulnerability window, than Internet Explorer.

I recommend reading the whole report, or at least the executive summary.

2 comments:

Anonymous said...

"They're watching exploitation of their customer base."

Interesting. If this report is based off their clients only, then you have to wonder how much more actually goes on.

Dv8or025 said...

Some other interesting stats, provided by Secunia :

http://secunia.com/product/11/ : MSIE 6.x - unpatched vulnerabilies : 19 - Most Critical Unpatched is rated Extremely Critical

http://secunia.com/product/4227/ : Firefox 1.x - unpatched vulnerabilies : 3 - Most Critical Unpatched is rated Less Critical

If they'd taken this into account, would Symantec still consider Firefox as _less_ secure than MSIE?!?!