Goodbye 2005, welcome 2006 (year statistics)

As 2005 comes to an end, we can look back and try to use that to guess what we would see in 2006 … but lets first summarize what we had:
1) Over 1500 new vulnerability groups (we call them ‘groups’ since we don’t split an SQL injection and its CSS counterpart into two advisories), which is up by roughly 300 comparing to last year.

2) An uproar in exploits (i.e. advisories with little technical details and the majority of it being a PoC or an actual exploit) from 150 to 295.

3) The number of Microsoft related advisories (not just MSXX-XXX) has jumped from 66 to 133, a little bit more than double.

4) IIS related vulnerabilities have declined from 13 to 8.

5) A decrease in the number of Apache related advisories from 23 to 11.

6) The busiest month was May, with over 170 new articles (roughly 6 articles per day, including the weekends).

So what will 2006 bring? my estimate is that we’ll see MORE vulnerabilities. Why? simply because as more software comes into the consumer market, it is more likely that people will find vulnerabilities in them.

As more Web based products emerge, the number of SQL, Directory Traversal, Cross Site Scripting and the like will become the majority of vulnerabilities, while Buffer Overflows and Format Strings becoming the minority.

The number of “Phishing” attacks will greatly increase, and become a lot more clever as the thieves get smarter and the methods become simpler. “Phishing” will also start utilizing more custom made Spyware and exploits, to try and make the victim believe that they are not being “Phished”.

  • noam

    CNN have revealed some staggering statistics on the number of security breaches… Record bad year for tech security

  • ryan

    Hello Noam, where are these stats coming from?

  • aviram

    Ryan – it is all from, of course.

    Some more stats (including break down by vendor) are available here:

  • Matthew Murphy

    #1 will keep going up. New tech = new vulns, and tech isn’t slowing down anytime soon.

    #2 will probably keep going up as more vendors try to get more hard-nosed with the community and are no more responsive (MS, Cisco, etc.)

    #3 may be due to the advent of the security advisory as a supplement to bulletins. Further, there were more MS bulletins patching more vulnerabilities this year than in years previous (+10 from last year) and Microsoft’s monthly batching of patches means more patches solve multiple vulnerabilities, meaning that more disclosures pertaining to each will be released. Expect this to continue to rise as Microsoft struggles to break free from the notion that it doesn’t practice initiative in solving software vulnerabilities. It has a lot to do in that regard.

    #4 One reason for this: IIS 6.0. The fact that IIS 6 did away with the plethora of on-by-default code that led to worms like Code Red has made it a less-interesting target. IIS as a code base is maturing, as well, because (with the exception of ASP.NET), Microsoft hasn’t added much in the way of exposed functionality. Most of the changes in IIS 6 were designed to increase security, scalability, or stability. Expect for IIS 7.0 to offer relatively few new features, but continue working to secure the platform.

    #5 This can be accounted for by the slow, painful maturity of the bug-ridden Apache 2.0. Unfortunately, I wholly expect that Apache 2.2 (based on 2.0′s extremely-buggy code base) will more than likely yield more vulnerabilities. Expect a rash of holes to be reported as 2.2 becomes stable. I’d also expect the combined usage of 2.x releases of Apache to remain under 10% of total Apache sites, with the more secure Apache 1.3 remaining the dominant force for the forseeable future.

    #6 could perhaps be accounted for by the fact that many Universities and other educational institutions (at least here in the U.S.) let students out around that timeframe. As a result, the number of people writing and publishing exploits increases slightly during that frame. May is also when Microsoft tends to patch the first reported vulnerabilities of the new year.

    I do agree with your conclusions:

    * We will see more vulnerabilities uncovered.

    * The types of vulnerabilities will change. Expect vulnerabilities in web applications (both client-side and server-side) to be a continued area of growth, while systems vulnerabilities (OSes, servers, etc.) will, for the most part, decline, as code bases have become more secure and stable.

    * Phishing will remain a threat so long as it is as profitable as it is now. Unfortunately, I’d expect margins to keep growing as phishers adapt to current defensive techniques.

    In general, attacks on *users* are still an area of high profit. As vendors fix product holes or make them harder to exploit (ala Windows XP SP2), the susceptibility of users to deception will increasingly be the weakest link in system security.

    Attacks like buffer overflow exploits may be replaced by things like request forgery, phishing, and simple interface manipulation (drag-and-drop, anyone?)