IBM: Public vulnerabilities are tip of the iceberg

No shit, Sherlock.

IBM's Internet Security Systems division has warned that there is a "colossal difference" between the number of publicly disclosed security vulnerabilities and the number of vulnerabilities that are discovered but not publicly disclosed.

Internet Security Systems' director of security strategy, Gunter Ollmann, wrote in his blog that although ISS researchers had analyzed a little more than 7,000 publicly disclosed vulnerabilities last year, the number of new security vulnerabilities found in code could be as high as 139,362 per year.

Ollmann arrived at this estimate by taking into account vulnerabilities that have been disclosed to a software vendor and are currently undergoing remediation, and vulnerabilities discovered internally by a vendor and patched silently.

He added that zero-day vulnerabilities may have been purchased by organizations from security researchers, and are then released under nondisclosure agreements to those organizations' customers. Other organizations and hackers also stealthily use zero-day vulnerabilities to produce malicious software, according to Ollmann.

Ollmann wrote that the number of vulnerabilities increases to a "colossal" total if you include those discovered under contract with a security service (through, for example, penetration testing), plus vulnerabilities discovered by researchers that are deemed "too lame" to be disclosed to the vendor, and vulnerabilities that affect non-English-language software that, subsequently, can't be understood by some analysts.

However, some security experts questioned Ollmann's definition of known and unknown vulnerabilities.

"What (Ollmann) is classing as new and unknown vulnerabilities are really processes by which they become known," said Greg Day, U.K. analyst for security vendor McAfee. Day added that while penetration testing does reveal vulnerabilities, these are never made public and are patched internally, reducing the risk of an exploit.

Andy Buss, senior analyst for analysis firm Canalys, pointed out that many internal systems weren't directly exposed to the Internet, and said the risk stated by ISS needed to be "taken with a pinch of salt." However, he added that ISS's estimate of the number of undiscovered vulnerabilities was "conservative."

"IBM ISS are likely to be being conservative with (139,362) given how much in-house software never gets tested," Buss told ZDNet. "In my view, the number is probably way higher than that."

http://www.nytimes.com/cnet/CNET_2100-1002_3-6188032.html?_r=1&oref=slogin