Symantec.com > Business > Security Response > Internet Security Threat Report > View the Report > Vulnerability Trends

Vulnerability Trends

Vulnerability Trends | Total Number of Vulnerabilities | Zero-Day Vulnerabilities | Notable Zero-day Attacks | Web Browser Vulnerabilities | Web Browser Plug-in Vulnerabilities | Web Attack Toolkits | SCADA Vulnerabilities

Total Number of Vulnerabilities

Background

The total number of vulnerabilities for 2011 is based on research from independent security experts and vendors of affected products. The yearly total also includes zero-day vulnerabilities that attackers uncovered and were subsequently identified post-exploitation. Calculating the total number of vulnerabilities provides insight into vulnerability research being conducted in the threat landscape. There are many motivations for conducting vulnerability research, including security, academic, promotional, software quality assurance, and, of course, the malicious motivations that drive attackers. Symantec gathers information on all of these vulnerabilities as part of its DeepSight vulnerability database and alerting services. Examining these trends also provides further insight into other topics discussed in this report.
Discovering vulnerabilities can be advantageous to both sides of the security equation: legitimate researchers may learn how better to defend against attacks by analyzing the work of attackers who uncover vulnerabilities; conversely, cybercriminals can capitalize on the published work of legitimate researchers to advance their attack capabilities. The vast majority of vulnerabilities that are exploited by attack toolkits are publicly known by the time they are exploited.

Methodology

Information about vulnerabilities is made public through a number of sources. These include mailing lists, vendor advisories, and detection in the wild. Symantec gathers this information and analyzes various characteristics of the vulnerabilities, including technical information and ratings in order to determine the severity and impact of the vulnerabilities. This information is stored in the DeepSight vulnerability database, which houses over 47,000 distinct vulnerabilities spanning a period of over 20 years. As part of the data gathering process, Symantec scores the vulnerabilities according to version 2.0 of the community-based CVSS (Common Vulnerability Scoring System)1. Symantec adopted version 2.0 of the scoring system in 2008. The total number of vulnerabilities is determined by counting all of the vulnerabilities published during the reporting period. All vulnerabilities are included, regardless of severity or whether or not the vendor who produced the vulnerable product confirmed them.

Data

Figure D.1: Total vulnerabilities identified, 2006-2011. Source: Symantec
Figure D.2: New vulnerabilities month-by-month, 2010 & 2011. Source: Symantec
Figure D.3: Most frequently attacked vulnerabilities in 2011. Source: Symantec

Commentary

  • Actual number of new vulnerabilities reported is down, but trend is still upwards: The total number of new vulnerabilities reported in 2011 stood at 4,989. This figure works out to approximately 95 new vulnerabilities a week. Compared with the number from 2010 which was 6,253, it represents a decrease of 20% from that of 2010. While this may seem like positive news, it must be viewed in the context of a longer time window. When we look at the trend over the longer term, we can see that the overall pattern is still on an upward trajectory. So far, the number of vulnerabilities reported in January 2012, amounts to 488 and is already well ahead of the numbers reported in the same month last year.
  • The most often exploited vulnerabilities are not the newest: From observation of in-field telemetry, we can see that the most frequently used vulnerability in attacks is not the newest. Our data show that the most commonly attacked component by a wide margin is the Microsoft Windows RPC component. The attacks against this component are mostly using the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874 ). This vulnerability was first reported back in October 2008 and Symantec blocked 61.2 million attempts to exploit it in 2011. This figure represents 4.7 times the volume of the second most exploited vulnerability, the Microsoft Windows RPCSS DCOM Interface Denial of Service Vulnerability (BID 8234 ), from July 2003.
  • The next two most often used vulnerabilities are the Microsoft Windows LSASS Buffer Overrun Vulnerability (BID 10108 4), dating from April 2004 and the Microsoft Windows Server Service Remote Buffer Overflow Vulnerability (BID 194095 ), from August 2008.
  • Finally the fifth most exploited vulnerability is the Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (BID 357596 ), reported in July 2009.
  • All of the top five vulnerabilities are several years old with patches available: So why are they used so often even several years after patches are available? There could be several reasons why this is the case:
    • Trading of vulnerabilities7 either through legitimate or clandestine channels has given exploitable vulnerabilities a significant monetary value. Because of the restricted information available on some of these new vulnerabilities, criminals may not be able to take advantage of them unless they are willing to pay the often substantial asking prices. If they are unable or unwilling to pay, they may resort to existing, widely available, tried and tested vulnerabilities to achieve their goals, even if it may potentially be less effective.
    • For those willing to pay, they will want to ensure maximum return on their investment. This could mean they will use it discretely and selectively rather than making a big splash and arousing the attention of security vendors and other criminal groups looking for new vulnerabilities to use.
    • Older vulnerabilities have a more established malware user base and so account for a greater amount of traffic. For example, widespread and well-established malware threats, such as W32.Downadup8 and its variants, use the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (BID 31874), which continues to register over 200,000 hits each day. Because these threats use vulnerabilities to spread in an automated fashion, the number of attacks they can launch would generally be far higher than for targeted attacks.
    • For various reasons, not all of the user population apply security patches quickly or at all. This means older vulnerabilities can often still be effective, even years after patches are available. Because of this, there will always a window of opportunity for criminals to exploit and they are all too aware of this.
  • File based vulnerabilities: The most commonly exploited data file format is the PDF file format. One of the PDF related vulnerabilities, Adobe Acrobat, Reader, and Flash Player Remote Code Execution Vulnerability (BID 357599 ) registered as the fifth most often used vulnerability in 2011 with just over 1 million attacks reported. PDF files containing vulnerabilities are often associated with Advanced Persistent Threat (APT10 ) style attacks, rather than self-replicating malware. However, in this particular case, the vulnerability in question was most often used in Web toolkit based attacks. This attack scenario involves creating malicious websites to host exploit code. Users may then be tricked into visiting these malicious toolkit websites either by website redirection (e.g. malicious IFRAMEs), SEO poisoning or by sending out spam emails, instant messages or social media updates with links to the malicious website.
  • One thing to note, websites hosting malicious toolkits often contain multiple exploits that can be tried against the visitor. In some cases, the kit will attempt to use all exploits at its disposal in a non-intelligent fashion whereas in more modern advanced kits, the website code will attempt to fingerprint the software installed on the computer before deciding which exploit(s) to send to maximise the success rate. The fact that there are so many Web kit based exploit attempts made using this old vulnerability may suggest that a considerable number of users have not updated their PDF readers to a non-vulnerable version.