Goodbye 2005, welcome 2006 (year statistics)
As 2005 comes to an end, we can look back and try to use that to guess what we would see in 2006 … but lets first summarize what we had:
1) Over 1500 new vulnerability groups (we call them ‘groups’ since we don’t split an SQL injection and its CSS counterpart into two advisories), which is up by roughly 300 comparing to last year.
2) An uproar in exploits (i.e. advisories with little technical details and the majority of it being a PoC or an actual exploit) from 150 to 295.
3) The number of Microsoft related advisories (not just MSXX-XXX) has jumped from 66 to 133, a little bit more than double.
4) IIS related vulnerabilities have declined from 13 to 8.
5) A decrease in the number of Apache related advisories from 23 to 11.
6) The busiest month was May, with over 170 new articles (roughly 6 articles per day, including the weekends).
So what will 2006 bring? my estimate is that we’ll see MORE vulnerabilities. Why? simply because as more software comes into the consumer market, it is more likely that people will find vulnerabilities in them.
As more Web based products emerge, the number of SQL, Directory Traversal, Cross Site Scripting and the like will become the majority of vulnerabilities, while Buffer Overflows and Format Strings becoming the minority.
The number of “Phishing” attacks will greatly increase, and become a lot more clever as the thieves get smarter and the methods become simpler. “Phishing” will also start utilizing more custom made Spyware and exploits, to try and make the victim believe that they are not being “Phished”.