NOW READ THIS
("Security Advisory")

Go Back

---

Submitted by: Bill Hickey
NCVA List Master

NRT-0192 Most Security Vulnerabilities Not Disclosed:

There is a "colossal difference" between the number of publicly disclosed security vulnerabilities and the number of flaws that are discovered but not publicly disclosed, according to research by Gunter Ollmann of IBM's Internet Security Systems (ISS) division. Ollmann wrote in his blog that although ISS researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new security vulnerabilities found in code could be as high as 139,362 per year. He arrived at this estimate by taking into account vulnerabilities that have been disclosed to a software vendor and are currently undergoing remediation, and vulnerabilities discovered internally by a company and patched silently. He added that zero-day vulnerabilities may have been purchased by organizations from security researchers, and are then released under nondisclosure agreements to those organizations' customers. Other organizations and hackers also stealthily use zero-day vulnerabilities to produce malicious software, according to Ollmann.

(news.zdnet.com 01JUN07)

Last Modified: Friday, 08-Jun-2007 20:45:37 EDT