|Remotely exploitable trends in 2007 : 2008 : Frequency-X Blog : Blog : Home|
Remotely Exploitable Trends in 2007
Posted by Gunter Ollmann on February 12, 2008 at 11:36 AM EST.
There are lots of interesting graphs and statistics in the report and, as with most scary security stats, you’ll probably be seeing them referred to lots of times throughout the year.
Remote vs. Local Exploitation
One set of statistics within the report that I found interesting (and probably in need of some clarification) concerns the trends in “Remote vs. Local Exploitation” (found on page 20 of the report).
Since the year 2000, there has been a clear increase in the percentage of publicly disclosed vulnerabilities that can be remotely exploited. For reference, the data table has been reproduced below.
As of last year, remotely exploitable vulnerabilities constituted 89.4 percent of all public disclosures – a slight increase over the previous year, but a doubling overall since 2000.
Why? Are people spending more time looking for
remotely exploitable vulnerabilities so they can
reap the highest rewards when they come to sell
them? – I don’t think so.
Back in 2000, probably only around half of the applications we used or installed on our PC’s were “network aware”. Today, just about every application has some degree of Internet functionality – and those that don’t often have controls that can be called from within Web browsers or have file formats that are commonly auto-opened by other Internet applications.
Towards a remotely exploitable future
Projecting forward in time, I’d expect to see this trend towards a greater proportion of remotely exploitable vulnerabilities to continue as the software industry increasingly incorporates network functionality into its new applications and functionality updates.
Does this trend pose an additional threat to business? Yes. Having vulnerabilities that are remotely exploitable is definitely not a good thing. However, if greater network integration increases the usability (and productivity) of the software, businesses will need to evaluate the risks in that context (and I know what decision I’d place my money on if it ever came to a bet).
To counteract this, what I’d like to see are corresponding advances auto-updating mechanisms for all these “Internet aware” applications – preferably just having one interface/tool (rather than the 5+ that I tend to see popping up at various times, working to their own mysterious schedules) – and that any security updates are automatically applied (promptly) and without the need to reboot the PC.
Microsoft has done an OK job so far with their Windows Update feature – but I really do think that their updating mechanism needs to expand and encompass other vendor’s software, and for it to become a complete updating platform.