The document reviews over 25 years of security vulnerabilities in operating systems, analyzing data from the CVE/NVD along with the trends in vulnerability occurrences and types. It identifies significant vulnerabilities, particularly highlighting the impact of common weaknesses across various software and systems, along with a breakdown of vulnerabilities by vendor and product. The presentation also discusses strategies for protecting against such vulnerabilities, emphasizing the importance of understanding the data and trends to foresee future risks.

2. Security Vulnerabilities in Modern Operating
Systems
T-SEC-18-B
Yves Younan
Senior Research Engineer
Vulnerability Research Team (Sourcefire, now part of Cisco)

3. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Overview
 A look at more than 25 years of past vulnerabilities
– Based on the CVE/NVD data.
– CVE started in 1999, but includes historical data going back to 1988.
– NVD hosts all CVE information in addition to some extra data about vulnerability types,
etc.
– Based on Sourcefire report: http://www.sourcefire.com/25yearsofvulns
 Updated (with data from 2013, 2014) and data from other sources
 A look at the future
– What trends do we expect?
 A look at exploitation trends based on other reports
 What can we do to protect ourselves

4. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities Past
 Data from 1988-2013
– More than 59,800 vulnerabilities in this period
– Majority of vulnerabilities in the last half of this period
– Data has some issues though
 Depending on reporting, a single CVE issue could cover multiple similar vulnerabilities or not
 Sometimes product assignment is spotty (we’ve tried to clean this up a bit for mobile)
– Not correctly assigned to a product, multiple product names for the same product
 Categories that are used are not very good and their assignment is not all that great
– Also a change in categories significantly
 We use the “published date” provided by NVD to determine when a vulnerability was published:
CVE ids are generated based on when they are requested, not published, so small discrepancies
between ids and dates can exist around the end of the year
– For example: CVE-2013-6642 was published in 2014

5. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Common vulnerability scoring system
 Analyst answers the following about the vulnerability:
– Impact on confidentiality, accessibility, integrity: low, partial, complete
– Access vector: local, adjacent network, remote
– Authentication required: none, single, multiple
 Gives a base score of 0-10
 We use the following in the stats:
 CVSS >=7 is considered a serious vulnerability (include critical)
 CVSS = 10 is considered a critical vulnerability
– Note: if insufficient information is available, NVD will consider the vulnerability to be critical
 Gives us a measure of vulnerability impact, but can be a little
subjective
– One score, while multiple platforms may be affected, with different impacts
(e.g. due to mitigations)

6. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total Vulnerabilities by Year
2 3 11 15 13 13 25 25 75
252 246
894
1020
1677
2156
1528
2451
4931
6609 6516
5636 5731
4638
4151
5281
4747
0
1000
2000
3000
4000
5000
6000
7000
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

7. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total Serious Vulnerabilities
2 2 8 11 12 8 14 17 45
145 133
424 452
772
1002
678
970
2037
2761
3159
2838
2714
2084
1821 1772
1638
0
500
1000
1500
2000
2500
3000
3500
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

8. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Serious Vulnerabilities Percentage of All Vulnerabilities
100
66.67
72.7373.33
92.31
61.54
56
68
60
57.54
54.07
47.43
44.3146.0346.47
44.37
39.5841.3141.78
48.4850.35
47.36
44.9343.87
33.5534.51
0
20
40
60
80
100
120
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

9. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total Critical Vulnerabilities
2 1 1 4 3 2 1 7 8
24 23
161
142 149 155
119
211
284 274
475
425
373
258
387
483
437
0
100
200
300
400
500
600
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

10. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Critical Vulnerabilities Percentage of All Vulnerabilities
100
33.33
9.09
26.67
23.08
15.38
4
28
10.67 9.52 9.35
18.01
13.92
8.88 7.19 7.79 8.61
5.76 4.15
7.29 7.54 6.51 5.56
9.32 9.15 9.21
0
20
40
60
80
100
120
1988 1989 1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

11. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
 Common Weakness Enumeration creates a number of
categories for vulnerabilities
 NVD uses a subset of CWE to categorize vulnerabilities:
– Authentication issues: not properly authenticating users
– Credentials management: password/credential
storage/transmission issues
– Access Control: permission errors, privilege errors, etc.
– Buffer error: buffer overflows, etc.
– CSRF: cross-site request forgery
– XSS: cross site scripting

12. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
 NVD CWE subset continued:
– Cryptographic issues: errors in crypto
– Path traversal: incorrectly handling input like “..”
– Code injection: executing scripting code or similar
– Format string vulnerability: when attackers control the format
specifier for a formatting function
– Configuration: errors in configuration
– Information leak: exposing sensitive information
– Input validation: lack of verifying input, overlaps with
other categories, kind of a misc. category
– Numeric errors: integer overflows, signedness errors, etc.

13. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
 NVD CWE subset continued:
– OS Command Injections: executing via command line
– Race conditions: time of check to time of use errors
– Resource management errors: memory leaks, consuming of
excess resources, etc.
– SQL injection
– Link following: following symlinks / hard links

14. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Type
Buffer Errors
15%
XSS
13%
Access Control
11%
Input Validation
10%
SQL Injection
10%
Not enough info
8%
Code Injection
6%
Information Leak
5%
Resource
Management
5%
Path
Traversal
4%
Numeric
Errors
2%
Configuration
2%
Authentication
2%
Crypto
1%
Credentials
1%
CSRF
1%
Link
Following
1%
Race Conditions
1%
OS
Command
Injection
1%
[CATEGORY NAME]
[PERCENTAGE]

15. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Serious Vulnerabilities by Type
Buffer Errors
23%
SQL Injection
19%
Access Control
10%
Code Injection
10%
Not enough info
8%
Input Validation
8%
Resource
Management
4%
Path Traversal
3%
Numeric
Errors
2%
Authentication
2%
Configuration
2%
OS Command
Injection
2% Format String
1%
Credentials
1%
Information Leak
1%Crypto
1%
XSS
1%

16. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Critical Vulnerabilities by Type
Buffer Errors
35%
Not enough info
22%
Access Control
8%
Input Validation
6%
Code Injection
4%
Resource
Management
4%
OS Command
Injection
3%
Numeric Errors
3%
Configuration
3%
Authentication
3%
Credentials
2%
Format
String
2%
Path
Traversal
2%
SQL Injection
1%
Information Leak
1%
Crypto
1%

17. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerability Types Over the Years
0
500
1000
1500
2000
2500
3000
3500
781
1294
874 796 827
594 724
599
939
869 1100 951
515
164 223 277 390 460 422 469
708
921 569
572
548
673
734
719
148 183 229
285 338
187 303
777
572
144
215
250
175
302 474
83
147
1047
560
734
Not enough info
Code Injection
Configuration
Input Validation
Access Control
Buffer errors
SQL Injection
XSS

18. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Vendor
 NVD has information on affected product for 58,561
vulnerabilities
 Top 10 vendors account for 16,696 vulnerabilities, more
than 28% of all vulnerabilities.
 Some vendors have lots of products, which can result in
a higher total vulnerabilities count
 We will also look at specific products later so we can
provide more extensive analysis

19. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Total Vulnerabilities
Microsoft, 3280
Apple, 2122
Oracle, 2025
IBM, 1802
Sun, 1558
Cisco, 1523
Mozilla, 1255
Linux, 1097
HP, 1037
Google, 997

20. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Serious Vulnerabilities
Microsoft, 1948
Apple, 921
Cisco, 830
Adobe, 757
Sun, 727
IBM, 662
Mozilla, 613
Oracle, 580
Google, 559 HP, 554

21. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors for Critical Vulnerabilities
Adobe, 300
Oracle, 287
Mozilla, 246
Sun, 235
HP, 235
IBM, 197
Microsoft, 183
Google, 113
Cisco, 97 Apple,
72

22. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors over the Years
0
100
200
300
400
500
600
Microsoft
Apple
Oracle
IBM
Sun
Cisco
Mozilla
Linux
HP
Google

23. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vendors, total number of distinct products
23
HP, 1291
Cisco, 889
IBM, 450
Microsoft, 361
Oracle, 232
Sun, 199
Apple, 92 Google, 32 Mozilla, 19 Linux, 7

24. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vendors, unique CVEs to distinct products ratio
24
Linux, 156.7
Mozilla, 66.1
Google, 31.2
[CATEGORY
NAME], [VALUE]
Microsoft, 9.1
Oracle, 8.7 Sun, 7.8 IBM, 4 Cisco, 1.7 HP,
0.8

25. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Product
 Our vendor comparison gave us an idea who had to
deal with the most vulnerabilities
 However, vendors have multiple products: having more
products, will usually result in suffering from more
vulnerabilities
– As was seen in the product versus CVE entry comparison
 Here we look at product specific comparisons
– What products had the most vulnerabilities
 Some caveats
– Some versions are considered distinct products
 Every Windows version is a distinct product

26. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Vulnerable Products
Linux Kernel, 1090
Firefox, 1013
Chrome, 886
Mac OSX, 847Windows XP, 717
Seamonkey, 628
Internet Explorer, 625
Mac OSX Server,
608
Thunderbird, 594 Solaris, 557

27. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vulnerable products without shared code bases
27
Linux Kernel, 1090
Firefox, 1013
Chrome, 886
Mac OSX, 847
Windows XP, 717
Internet Explorer,
625
Solaris, 557
JRE, 496
Safari, 460
Linux, 396

28. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 vulnerable products, totaled with similar products
28
Linux+Redhat, 1895
All Windows, 1237
Mozilla Suite, 1046
Mac OS, 891
Chrome, 886
Internet Explorer, 625
Solaris, 590
JRE/JDK, 501
Safari, 460 PHP,
353

29. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products
Firefox, 529
Chrome, 513
Windows XP, 501
Thunderbird, 365Seamonkey, 364
Windows Vista, 346
Windows Server
2008, 337
Windows 2000, 311
Internet
Explorer, 307
Windows 2003
Server, 299

30. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Seriously Vulnerable Products, totaled (similar)
30
All Windows, 755
Linux+Redhat, 567
Firefox, 539
Chrome, 513
Internet Explorer, 307
Mac OS X, 303
JDK/JRE, 289
Acrobat, 283
Solaris, 277
Flash/Air, 260

31. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products
Firefox, 234
Thunderbird, 179
Seamonkey, 167
JRE, 152
JDK, 145
Flash Player, 134
Adobe Air, 119
Chrome, 99
Acrobat Reader, 96
Acrobat, 92

32. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Critically Vulnerable Products, totalled (similar)
Mozilla suite, 238
JRE/JDK, 153
Flash/Air, 135
All Windows, 103
Linux+Redhat, 101
Chrome, 99
Acrobat, 96
Solaris, 61
Oracle Database, 54
AIX, 49

33. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Windows Version
XP, 717
Server 2003, 618
Win 2000, 504Vista, 455
Server 2008, 450
Win 7, 325
NT, 247
Win 98, 89 Win 8, 63
Win Me, 57 Server 2012, 56 Win 95,
46

34. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
iPhone, 310
Windows, 49
Android, 36
BlackBerry, 13

35. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities by Mobile Phone OS
Android, 166
iPhone, 164
Windows, 54
BlackBerry, 28

36. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Microsoft Bulletins
 Contain information on all Microsoft vulnerabilities and
associated CVEs
 Correlate the release dates of the bulletins with the
release dates of the CVEs
 Gives us insight into how often vulnerabilities are 0 day
vulns
– If CVE is published before MS bulletin meaning that
vulnerability information was available before a response
from MS
 No particular reason for choosing Microsoft, except that
they make the information easily available and usable
on their website

37. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
CVE Correlated with MS Bulletins
Bulletin published
before CVE, 1185
Bulletin published
with CVE, 818
Bulletin publised
after CVE, 268

38. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Microsoft 0 day vulnerabilities
 If the MS correlation numbers carry over to other vendors: about 1 out of
every 10 vulnerabilities discovered is known by attackers before the vendor
can patch
– Security products will often not provide protection against these attacks until they
know about it
– Mitigations are more important in this respect
 Attackers could possible evade them, but exploitation cost goes up significantly
 Latest Windows/Linux have plenty of mitigations available by default: Windows 8 has
improved on many of them
 EMET (Free MS tool) can enable protections to make it harder to exploit vulnerabilities in
Windows: e.g., better ASLR, RopGuard.

39. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Present
 Let’s take a look at the first quarter of 2014: January 1st
until March 31st 2014
 We will look at total vulnerabilities this year and severity
 We will also look at the top 10 vendor and top 10
products for this quarter
 Note: this data may not be completely up to date: while
the data was retrieved on April 1st, it may not include all
up to date information on a vulnerability, as this may be
updated later.
– This is especially true for the “unknown” vulnerabilities

40. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Total vulnerabilities: 2014
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
0
200
400
600
800
1000
1200
1400
1600
1800
2000
Q1 total Q1 >= 7 Q1 = 10
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014

41. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerability types: 2014
Not enough info
16%
XSS
16%
Buffer Errors
13%
Access Control
13%
Input Validation
10%
SQL
Injection
5%
Resource
Management
5%
Path
Traversal
4%
Information Leak
3%
CSRF
3%
Crypto
3%
Authentication
2%
Numeric Errors
2%
Credentials
2%
Code Injection
2%
Link Following
1% Race Conditions
1%
OS Command
Injection
1%

42. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Top 10 Products: 2014
Internet Explorer, 43
Firefox, 37
JDK, 36
JRE, 36
Chrome, 35
Owncloud, 34
Seamonkey, 32
Linux Kernel, 28
iPhone, 24
Thunderbird, 21

43. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Future
 Plenty of static analysis tools, mitigations, etc. yet buffer overflows
remain a very important vulnerability now and will probably will in
the future too
 Access control / privilege issues will continue to remain important
in large part due to better privilege separation
 Google will probably start moving up the top 10 more, it entered it
for the first time this year, displacing Adobe
 Fewer vulnerabilities were reported in 2013
– Serious vulnerabilities have remained stable at 1/3rd of the
vulnerabilities
– Critical vulnerabilities have also remained stable at 1/10th of all
vulnerabilities
– In 2014 more vulnerabilities have been reported, slight lower
percentage of serious (but the same in absolute terms), but less critical
ones

44. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Vulnerabilities are not the same thing as exploits
 Some vulnerabilities end up not being practically exploitable
– Mitigations
– Too much effort required
– Very specific environmental requirements
 Not reliable
 CVSS doesn’t really take environmental concerns into account
 Microsoft study on exploits: Software Vulnerability Exploitation Trends
 http://www.microsoft.com/en-us/download/details.aspx?id=39680
 Cisco 2014 Annual Security Report
 http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html

45. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
 From Microsoft’s study:
– Looked at a number of vulnerabilities that were classified as remote code execution
(RCE): 06-12
 Looked at about 800 vulnerabilities
 29% were exploited, rest of vulnerabilities were not exploited
 Most vulnerabilities are exploited after patch, but an increasing number of 0day vulnerabilities are
being exploited
 Trends shows that fewer vulnerabilities are being exploited since 2012, coincides with the adoption of
Windows 7 and IE10
 However, there was a lull in 2007 and 2008 too, after Vista was released (the first Windows with real
mitigations)
– Could mean that this is a similar lull with improved mitigations in both Windows 7 and IE10
 In 2012 there were no new exploits vulnerabilities for Windows 2000
– Windows 2000 was end-of-lifed in 2010, so no need for many new vulnerabilities since then, impact could be
interesting for XP

46. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
 Microsoft Study also found that
– Stack-based buffer overflows were massively exploited in
2006-2009
 Decline since then: probably due to mitigations
– Heap corruption remained popular entire time
– Increased exploitation of use after free vulnerabilities
 Most exploited vulnerability for Windows 7 and Vista
 Occurs more in client-side applications (browsers)
 No mitigations that address use-after-free specifically
– Study also looks at exploitation techniques
 Exploits increasingly make use of mitigation bypasses

47. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Exploits and exploitation
 Cisco Report:
– For web exploits, Java vulnerabilities are the most exploited by attackers:
91% of indicators of compromise monitored by FireAMP were related to Java
 Far fewer related to Flash or PDF
– 1.2% of all web malware target a specific mobile device
– 99% of all that malware targets Android, 0.84% targets J2ME devices (the
second most popular target)
– Most frequently occurring mobile malware was Andr/Qdplugin-A: 43.8%
 Frequently repackaged in legitimate apps distributed on unofficial marketplaces
– General malware types: trojans, 64%; adware 20%, worms 8% and viruses
4%

48. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
 Major software projects from important vendors still
have plenty of vulnerabilities
– Some vendors spend a lot of money and effort to improve
the security of their products
– They still suffer from significant vulnerabilities
– Software is more secure today than it has ever been
– Compromises continue
– As with other fields, defenders have to be lucky all the time,
while attackers only need to be lucky once
– Make it as hard as possible for attackers by enabling
mitigations, ensuring significant access control

49. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
 Browsers are a very important point of attack
 Vulnerabilities in browsers themselves
– Major browsers are all 3 categories of top 10 of vulnerable products
– Vulnerabilities in file formats parsed by plugins
 Media files
 PDF: in serious and critical top 10
 Java: in all 3 top 10 categories
 Flash: also in serious and critical top 10
– Important to run latest browsers:
 IE10 and Chrome have invested a lot in mitigations
 Disable plugins you don’t need: Java, PDF, etc.

50. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Trends
 Mobile phones also suffer from plenty of vulns:
 Ensuring adequate protection on phones (AV, MDM,
etc.) is important
 Malware is important on mobile phones too, not just
vulnerabilities
– Mobile Device Management can help against malware, but
doesn’t really help against vulnerabilities
– Much harder for a user to determine “safe” software
 On PC, legitimate software is acquired from a number of
trusted sources
 On app stores (mainly Android), everything looks legitimate

51. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Plan for compromise
 Attackers breaking in is not inevitable, but a real
possibility that must be considered given the number of
vulnerabilities
 Breaking in doesn’t mean total compromise
 Client-side vulnerabilities are very important these days
 Users have a higher risk of being compromised
 Identify most important assets
 Identify risks to those assets
 Mitigate risk
 Access control (firewalls on internal servers)
 Internal detection (IDS/IPS for those servers)
 Use SSL/other encryption internally too

52. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Plan for compromise
 Have an incident response plan
 Define what an incident is
 Establish areas of responsibility for investigation and recovery
 Containment
 Can you contain the attacker quickly
 What steps are required to recover from an incident
 Recovery may be different depending on the type of incident
 Determine how to restore asset quickly if compromised
 Need to identify way of entry to prevent future compromises
 Retrospective security can help with this
 Examine extent of intrusion: e.g., must all users change passwords?

53. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Conclusion
 Microsoft has significantly improved in the last couple of
years, their browser and mobile OS are better than their
competitors in terms of vulnerabilities discovered
 Google’s entry into the consumer software and hardware
(as opposed to running a web service) has been
accompanied by a significant number of vulnerabilities
 Oracle’s acquisition of Sun has brought quite a number of
extra vulnerabilities under the Oracle banner, some are
even still counted as Sun right now

54. Cisco and/or its affiliates. All rights reserved.T-SEC-18-B Cisco Public
Conclusion
 Vulnerabilities are here to stay
– While serious vulnerabilities have been in decline, total vulnerabilities
are not and neither are critical
– At some point many vendors thought that hunting for enough
vulnerabilities would make software secure
– New features increase the attack surface or make previously non-
exploitable errors exploitable
– Using several non-serious vulnerabilities in concert could result in a
more serious issue
– Buffer overflows have been around for 25 years yet are still one of the
top vulnerabilities
 Full report (up to 2012) available via
http://www.sourcefire.com/25yearsofvulns
 Get rid of XP: end of life was last week, no more security
updates