The document discusses the evolution of security vulnerabilities in commercial off-the-shelf (COTS) technology products from 2003 to 2007, highlighting an increasing trend in both critical and high-severity vulnerabilities. It emphasizes the role of Assurent Secure Technologies in providing critical threat and vulnerability intelligence, as well as the upward movement of risks from servers to desktops. The analysis concludes that while major software vendors are improving security, smaller vendors are increasingly targeted, leading to broader vulnerability distribution.

1. Evolution of Key Risks
Dr. Richard REINER
Founder and CTO
Assurent Secure Technologies
rr@richardreiner.com

2. 2
Key Risks – Who has a crystal ball?
• Lots of analyst organizations are talking about emerging risks
– Where are they buying their crystal balls?
• We have no crystal ball… but we have the next best thing
– Extensive, private data source
– Not publicly available
– Used daily by most of the world’s security product companies
– National intelligence agencies
– Global high-tech vendors
• This presentation will focus on the threat trends visible within this
data
– Focus on security vulnerabilities in Commercial Off-the-Shelf (COTS) technology
products

3. 3
Security Vulnerabilities in COTS Products
• Software
– Includes Operating Systems, Business Applications, Technical Tools & Utilities,
etc.
• Firmware
– Networking hardware
– Security appliances
– Mobile devices
– Etc.
• We are in the middle of an epidemic of product security
vulnerabilities

4. 4
0
1000
2000
3000
4000
5000
6000
7000
2003 2004 2005 2006 2007
Total Product Vulnerabilities, 2003 - 2007

5. 5
Assurent VRS
• Regarded as the world’s leading provider of in-depth threat and
vulnerability intelligence
– Assurent Secure Technologies – acquired by TELUS in 2006
– Operating since Jan 2004
– Daily technical data feeds on threats and vulnerabilities (8 feeds)
– Delivered globally:
• Over 50 security product vendors (including 18 of the world’s top 20)
• Intelligence and defense agencies
• High-tech manufacturers
• Global financial services firms
• Other global organizations
• Also provides the technical basis of the security product accuracy
and coverage testing done by NSS Labs

6. 6
Assurent VR data streams
• Vulnerability Research Engineering Report (real-time feed &
historical data)
• Vulnerability and Exploit Signatures (network- and host-based)
• VA Probes feed
• Spyware Signatures (real-time feed & historical data)
• Shell Code Exploit feed
• Threat Protection Program (advanced enterprise threat
intelligence service)
• Protocol Recognition Signatures
• Custom Artifact Feeds for individual vendors (IPS signatures, VA
probes, host-based checks, etc.)

7. 7
VR Engineering – Data produced
• VR Engineering Report
• Problem identification and meta-data
• Problem location (program, function or method, parameters, data objects, etc.)
• Problem mechanism walkthrough (annotated source code or disassembly)
walkthrough)
• Triggering conditions (prerequisites, protocol flow diagrams, packet decodes)
• Attack detection (details to detect attempts to exploit the vulnerability)
• Behavior of the attack target
• Vulnerability detection (remote credentialed and non-credentialed; local)
• Sample exploit code and PCAP format packet captures
• Production-quality IDS/IPS Signature, VA Probe, & Shellcode exploit
• XML and PDF research delivery by SMTP, SOAP, RSS, and Web
Portal

8. 8
Assurent VR processes

9. 9
Leveraging this data source on vuln trends
• Detailed technical analysis of over 300 vulns / month
• Data from Jan 2004 – Present
• What do we see?
Note:
Severity scores use CVA-F, an Assurent-adjusted variant of the SANS
CVA formula

10. 10
High-level summary statistics

11. 11
0
1000
2000
3000
4000
5000
6000
7000
2003 2004 2005 2006 2007
Total Product Vulnerabilities, 2003 - 2007

12. 12
0
20
40
60
80
100
120
140
160
180
200
2006 2007
Critical Vulnerabilities, 2006 vs. 2007

13. 13
0
200
400
600
800
1000
1200
1400
2006 2007
High-Severity Vulnerabilities, 2006 vs 2007

14. 14
High-level statistics – Summary
• Total number of product vulnerabilities may have reached a plateau
• The number of Critical vulnerabilities is increasing
• The number of High-Severity vulnerabilities is increasing

15. 15
Looking more closely at severity trends

16. 16
Average Severity of Top 5 Vulnerabilities / Week, 2004 - 2007
0
1
2
3
4
5
6
J
a
n
-
0
4
M
a
r
-
0
4
M
a
y
-
0
4
J
u
l
-
0
4
S
e
p
-
0
4
N
o
v
-
0
4
J
a
n
-
0
5
M
a
r
-
0
5
M
a
y
-
0
5
J
u
l
-
0
5
S
e
p
-
0
5
N
o
v
-
0
5
J
a
n
-
0
6
M
a
r
-
0
6
M
a
y
-
0
6
J
u
l
-
0
6
S
e
p
-
0
6
N
o
v
-
0
6
J
a
n
-
0
7
M
a
r
-
0
7
M
a
y
-
0
7
J
u
l
-
0
7
S
e
p
-
0
7
N
o
v
-
0
7

17. 17
0
10
20
30
40
50
60
70
80
2006 Q1 2006 Q2 2006 Q3 2006 Q4 2007 Q1 2007 Q2 2007 Q3 2007 Q4
Critical Vulnerabilities by Quarter, 2006 - 2007

18. 18
0
50
100
150
200
250
300
350
400
450
2006 Q1 2006 Q2 2006 Q3 2006 Q4 2007 Q1 2007 Q2 2007 Q3 2007 Q4
High-Severity Vulnerabilities by Quarter, 2006 - 2007

19. 19
Severity trends – Summary
• Significant overall severity upswing since 2003
• Peak severity in Jan 2007
– Why?
– Preliminary data suggests a similar burst in Q1 2008

20. 20
Performance of top-tier vendors

21. 21
0
50
100
150
200
250
300
2004 2005 2006 2007
Year
Microsoft -- Total Vulnerabilities Per Year

22. 22
20
10
0
2
4
6
8
10
12
14
16
18
20
2006 Critical 2007 Critical
Microsoft Vulnerabilities -- Critical -- 2006 vs. 2007

23. 23
178
148
0
20
40
60
80
100
120
140
160
180
2006 High 2007 High
Microsoft Vulnerabilities -- High Severity -- 2006 vs. 2007

24. 24
0
1
2
3
4
5
6
2006 2007
Global Top 50 Software Vendors - Mean Severity (CVA), 2006 vs 2007

25. 25
Top vendors – Summary
• Microsoft is doing very well – severity of MSFT vulns is plummeting
• Global Top-50 vendors are also doing quite well – severity is falling
(although generally not as quickly as MSFT)
• But the overall severity trend is upward, so by implication smaller
vendors are doing worse
– And / or more attention is being paid to them, resulting in higher average severity
of the vulns found in their products

26. 26
Vendors with the largest number of vulnerabilities
2006
Q1
2006
Q2
2006
Q3
2006
Q4
2007
Q1
2007
Q2
2007
Q3
2007
Q4
Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft Microsoft
IBM Mozilla FSF Novell RedHat Novell RedHat IBM
Apple Apple Sun RedHat Novell Sun Novell Sun
Mozilla Novell Novell IBM Canonical RedHat Debian Novell
Sun Debian RedHat Linux
Kernel
Debian Debian IBM Cisco

27. 27
Data on vulnerability types

28. 28
Code Execution, 378
Denial of Service, 1152
Directory Traversal, 247
File Inclusion, 1231
Format String, 98
Information Disclosure, 438
Memory Corruption, 178
Miscellaneous, 256
SQL Injection, 1071
Cross-Site Scripting, 949
Buffer Overflow, 1581
Privilege Escalation, 266
Security Bypass, 425
Spoofing, 49
0 200 400 600 800 1000 1200 1400 1600
Entries
Vulnerabilities by Type (2004 - 2007)

29. 29
Severity by Vulnerability Type (2004 - 2007)
0%
10%
20%
30%
40%
50%
60%
70%
80%
LOW MEDIUM HIGH CRITICAL
Code Execution
Denial of Service
Directory Traversal
File Inclusion
Format String
Information Disclosure
Memory Corruption
Miscellaneous
SQL Injection
Cross-Site Scripting
Buffer Overflow
Privilege Escalation
Security Bypass
Spoofing

30. 30
23%
35%
37%
4%
37%
36%
24%
3%
39%
45%
15%
1%
15%
61%
24%
0%
47%
23%
27%
3%
32%
48%
19%
1%
16%
25%
51%
8%
32%
40%
18%
10%
21%
50%
28%
1%
71%
19%
9%
0%
38%
25%
26%
12%
29%
34%
32%
6%
35%
40%
21%
4%
37%
35%
24%
4%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Code Executi on Deni al of Ser vi ce Di r ector y
T r aver sal
Fi l e Incl usi on For mat Str i ng Inf or mati on
Di scl osur e
Memor y Cor r upti on Mi scel l aneous SQL Inj ecti on Cr oss-Si te
Scr i pti ng
Buf f er Over f l ow Pr i vi l ege
Escal ati on
Secur i ty Bypass Spoof i ng
Vulnerability Type
Vulnerability Type Severity Breakdown (2004 - 2007)

31. 31
23%
37%
39%
15%
47%
32%
16%
32%
21%
71%
38%
29%
35%
37%
35%
36%
45%
61%
23%
48%
25%
40%
50%
19%
25%
34%
40%
35%
37%
24%
15%
24%
27%
19%
51%
18%
28%
9%
26%
32%
21%
24%
4%
3%
1%
0%
3%
1%
8%
10%
1%
0%
12%
6%
4%
4%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
LOW MEDIUM HIGH CRITICAL
Threat Level
Vulnerability Types by Severity (2004 - 2007)
Spoofing
Security Bypass
Privilege Escalation
Buffer Overflow
Cross-Site Scripting
SQL Injection
Miscellaneous
Memory Corruption
Information Disclosure
Format String
File Inclusion
Directory Traversal
Denial of Service
Code Execution

32. 32
Data on vulnerability types - Summary
• Buffer overflows continue to be the most common vulnerability type
• Buffer overflows also have the highest rate of criticality
• Web-application vulnerabilities have very high prevalence…
… but tend to be low-severity
– E.g. 71% of XSS are Low severity, 0% are Critical
– Only 1% of SQL Injection vulns are Critical
• This pertains to COTS web-based applications
– Trends for custom web apps are quite different

33. 33
Targeting – Servers vs. desktops

34. 34
2006
2007
Client
Server
0
500
1000
1500
2000
2500
3000
3500
Client vs. Server Vulnerabilities - 2006 vs. 2007

35. 35
2006 Q1
2006 Q2
2006 Q3
2006 Q4
2007 Q1
2007 Q2
2007 Q3
2007 Q4
Client
Server
0
100
200
300
400
500
600
700
800
900
Client vs. Server Vulnerabilities by Quarter

36. 36
2006
2007
Client
Server
0
1
2
3
4
5
6
Mean Severity (CVA), Client vs. Server - 2006 vs. 2007

37. 37
0
1
2
3
4
5
6
2006 Q1 2006 Q2 2006 Q3 2006 Q4 2007 Q1 2007 Q2 2007 Q3 2007 Q4
Client
Server
Mean Severity (CVA), Client vs. Server, by Quarter

38. 38
Servers vs. desktops – Summary
• Server vulnerabilities continue to outnumber Client vulns
• But the proportion of Client vulnerabilities is climbing (31% in 2006
vs. 39% in 2007)
• Steady growth in proportion of Client vulns is apparent in the
Quarterly dataset
• Severities of both categories are rising, but Server vulnerabilities are
rising faster (12% increase vs. 3% increase)
• Upward severity trend is consistent quarter by quarter

39. 39
Seasonality

40. 40
4
4.2
4.4
4.6
4.8
5
5.2
5.4
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Average Vulnerability Severity by Month (2004-2007)

41. 41
Seasonality – Summary
• Security people like their summers off?
• Students write their exams in May & June?
• Everyone spends more time indoors in the winter months?
(Northern hemisphere only…)

42. 42
Spyware trends

43. 43
0%
20%
40%
60%
80%
100%
2004 2005 2006 2007
High-Risk Spyware by Type, 2004 - 2007
Adware
Trackware
Trickler
Hijacker
Keylogger
Backdoor/Trojan

44. 44
0
1
2
3
4
5
6
7
2004 2005 2006 2007
High-Risk Spyware - Average Severity

45. 45
Spyware - Summary
• Backdoors & Keyloggers represent over 50% of High-risk spyware
– And this proportion is growing
– Keyloggers have become big business
• Low-severity spyware is dying off
• Average risk of remaining population is trending upwards across the
whole sample…
• But have we passed the peak (2006)?

46. 46
Conclusions (1)
• Vulnerability management continues to be very challenging
• The number of Critical and High-Risk product vulnerabilities is
increasing
• Distribution of vulnerabilities is broadening to smaller vendors
– Major software vendors are improving the security of their products, but smaller
vendors are not
– Smaller vendors are also increasingly targeted
– “Security through diversity” may not be as good a strategy as it appeared
• Risk is rapidly spreading from servers to desktops

47. 47
Conclusions (2)
• COTS web applications vulnerabilities are generally low-risk
• Very different from the situation with custom web applications
• Classical buffer overflows (generally in client-server applications)
have greatest rate of criticality

48. 48
Conclusions (3)
• The (Northern hemisphere) winter months are the peak time for
vulnerability emergence
– No clear Day-of-Week trend

49. 49
Conclusions (4)
• Spyware risks seen to grow 2004-present
• Possible peak in 2006
• Low-risk spyware categories are dying off in favour of identity-theft
focused crimeware
– High-risk (backdoor trojans and keyloggers) categories are increasingly prevalent

50. Questions & Comments?
Dr. Richard REINER
Founder and CTO
Assurent Secure Technologies
rr@richardreiner.com