March 15, 2004 1:09 PM PST
Report: Flaws level off, but worms still squirming
In 2003, information on 2,636 security vulnerabilities was released to the public, according to Symantec's biannual Internet Security Threat Report. That's an increase of only 2 percent from the 2,587 vulnerabilities disclosed by companies and security researchers in 2002, said Alfred Huger, senior director of engineering for Symantec. From 2001 to 2002, there was an 81 percent increase, Huger said.
"This is the first year that we have seen the disclosure of vulnerabilities level off," he said.
The report affirms a trend found in data from the Computer Emergency Response Team Coordination Center: The 3,784 vulnerabilities reported to the organization last year decreased 8 percent from the 4,129 flaws found in 2002.
The trend could be an indication that software development is getting better and that programmers are learning how to avoid the most common security missteps. Another factor is that security researchers are increasingly giving software companies a chance to fix the flaws before public alerts are sent out, which can delay the alerts.
"More people are working with vendors to patch these issues, and that takes more time," Symantec's Huger said. For example, Microsoft took more than six months to produce a fix for several recent Windows vulnerabilities.
However, the drop may have been influenced by another, not so positive, factor, Huger said. More researchers may be failing to report new flaws. "Good" security researchers could be keeping information on a given flaw to themselves as a competitive advantage, or malicious researchers could be keeping quiet so that they can use the flaw in an attack.
Much of Symantec's report is based on data submitted from more than 20,000 Internet devices owned by clients or affiliates. The data shows that 43 percent of attacks were due to worms. Another 40 percent constituted probes, not necessarily malicious, of systems vulnerable to specific problems. The remaining 17 percent of attacks were intrusion attempts that weren't caused by worms.
The MSBlast, or Blaster, worm accounted for nearly a third of all attacking computers detected by Symantec's sensor network in the last six months, the report said, but it was responsible for only about 2 percent of attacks. That's because a single computer can be used in several attacks, and other worms took greater advantage of this. The very efficient Microsoft SQL Slammer worm, for example, accounted for more than a quarter of total attacks detected, with only 2.4 percent of attacking computers.
The Code Red and Nimda worms--both more than two years old--are also still spreading around the Internet, the report found.
Another trend appears to be that attackers are increasingly targeting previously compromised computers and taking advantage of the backdoors left by successful worm and virus attacks. The latest viruses--including the MyDoom, Sobig and Bagel viruses--leave behind a secret entry point into any system that has been infected by the programs. Increasingly, intruders are checking for those backdoors first.
"It is almost like it has created a different dimension to the underground exploitation of the Internet," Symantec's Huger said. "There are a whole bunch of 'properties' out there that are freely available to groups to take advantage of."