Public In The Dark About 95% of Software Bugs
Most people are too lazy, don't care or don't want to learn about this "stuff"...

An IBM security director is estimating that the 7,247 software vulnerabilities disclosed last year are a fraction of the 139,362 that actually were discovered.

By Sharon Gaudin
InformationWeek
Jun 5, 2007 11:56 AM

Most people are grossly underestimating the number of vulnerabilities in the software they're using at home and at work, according to a security director at IBM.

Gunter Ollmann, director of security strategy at IBM's Internet Security Systems, said in a blog that 7,247 software bugs were publicly disclosed last year. The issue, though, is that he estimates that there also were 132,115 undisclosed vulnerabilities discovered last year. That means only 5.48% of them were disclosed to the public.

"To be sure, 139,362 new vulnerabilities in a single year is a colossal number, but is it wrong?" asked Ollmann in his blog entry. "Too many people underestimate the number of vulnerabilities in the software they use at home and in the enterprise office. Public vulnerability disclosures provide only a small window into the total number of vulnerabilities uncovered on an annual basis."

What does that mean to the IT or security manager trying to protect their network?

"If you're basing your protection strategy upon keeping up solely with public vulnerability disclosures, you're missing almost 95% of the vulnerabilities actually out there (this year)," said Ollmann. "If your defense systems are designed to protect against specific vulnerabilities (i.e. signature-based), it probably means that it was designed to protect a subset of publicly disclosed vulnerabilities. Preemptive protection engines are needed for the remaining 97% of annual vulnerabilities."

Where's the disconnect between bugs discovered and bugs reported?

Ollmann said it's a multipronged problem. Sometimes, for instance, vulnerabilities discovered internally by the vendor are generally patched silently. And flaws often are reported to the vendor who then keeps quiet about them until they can come up with a fix for them. Sometimes researchers simply think a bug is too "lame" to bother reporting.

Read all about it here, courtesy of informationweek.com
Eric