Remotely Exploitable Trends in 2007

Posted by Gunter Ollmann on February 12, 2008 at 11:36 AM EST.

For those of you who may have missed it, X-Force publicly released their annual threat report for 2007 yesterday.

There are lots of interesting graphs and statistics in the report and, as with most scary security stats, you’ll probably be seeing them referred to lots of times throughout the year.

Remote vs. Local Exploitation

One set of statistics within the report that I found interesting (and probably in need of some clarification) concerns the trends in “Remote vs. Local Exploitation” (found on page 20 of the report).

Since the year 2000, there has been a clear increase in the percentage of publicly disclosed vulnerabilities that can be remotely exploited. For reference, the data table has been reproduced below.

Brief table explanation: The most significant vulnerabilities are those that can be exploited remotely. Remote vulnerabilities can be exploited over the network, while local vulnerabilities can only be exploited by logging in to the local host or from the desktop. Vulnerabilities falling into both remote and local categories can be exploited by both vectors.

As of last year, remotely exploitable vulnerabilities constituted 89.4 percent of all public disclosures – a slight increase over the previous year, but a doubling overall since 2000.

Why? Are people spending more time looking for remotely exploitable vulnerabilities so they can reap the highest rewards when they come to sell them? – I don’t think so.
I believe that this percentage increase in remote exploitability reflects a parallel increase in the general networked and integrated applications that we use today.

Back in 2000, probably only around half of the applications we used or installed on our PC’s were “network aware”. Today, just about every application has some degree of Internet functionality – and those that don’t often have controls that can be called from within Web browsers or have file formats that are commonly auto-opened by other Internet applications.

Towards a remotely exploitable future

Projecting forward in time, I’d expect to see this trend towards a greater proportion of remotely exploitable vulnerabilities to continue as the software industry increasingly incorporates network functionality into its new applications and functionality updates.

Does this trend pose an additional threat to business? Yes. Having vulnerabilities that are remotely exploitable is definitely not a good thing. However, if greater network integration increases the usability (and productivity) of the software, businesses will need to evaluate the risks in that context (and I know what decision I’d place my money on if it ever came to a bet).

To counteract this, what I’d like to see are corresponding advances auto-updating mechanisms for all these “Internet aware” applications – preferably just having one interface/tool (rather than the 5+ that I tend to see popping up at various times, working to their own mysterious schedules) – and that any security updates are automatically applied (promptly) and without the need to reboot the PC.

Microsoft has done an OK job so far with their Windows Update feature – but I really do think that their updating mechanism needs to expand and encompass other vendor’s software, and for it to become a complete updating platform.

    Copyright 2001-2008 © Gunter Ollmann