February 27, 2014

Did the number of vulnerabilities reported in IBM products jump by 400% from 2012 to 2013?

That finding comes from a new study, released Wednesday by vulnerability management security firm Secunia at the RSA conference, of the top types of software vulnerabilities facing enterprise networks. That information is crucial for helping IT administrators prioritize which applications and operating systems to patch first.

Overall, Secunia received reports on 13,073 new vulnerabilities in software products in 2013 -- comprising 2,289 products from 539 different vendors -- and said 16.3% of the bugs were rated "highly critical," meaning they can be used to remotely exploit systems. Finally, 0.4% of the vulnerabilities rated as "extremely critical," meaning bugs that could remotely exploit systems and which were also being actively targeted by in-the-wild attacks.

From 2012 to 2013, the total number of vulnerabilities seen by Secunia increased by 32%. Secunia officials said the spike largely stemmed from vulnerabilities reported in IBM products jumping from 772 bugs in 2012 to 4,181 bugs in 2013. Of those, 74% could be used to attack a remote network, 20% a local network, and 7% a local system.

Asked to comment on Secunia's findings, IBM offered a different set of statistics, based on counting any given vulnerability, even if present in more than one of its products, only once. "It's important that these vulnerabilities are measured accurately," said IBM spokeswoman Nicole Trager via email. "IBM reports unique vulnerabilities -- each unique vulnerability could affect more than one IBM product."

... Read the full story on Information Week