Criminals Pay High Price To Keep Security Vulnerabilities Hidden

Dennis Faas's picture

The annual "X-Force" report, recently released by Internet Security Systems (ISS), part of IBM Corp., says 6,437 security flaws were acknowledged in 2007 by network and software vendors, down 5.4 percent from 2006. (Source:

While computer security vulnerabilities decreased last year, security researchers are cautioning that there has been no improvement in web safety.

ISS Chief Technology officer Chris Rouland said that in at least 10 years of counting he had not seen that figure drop. Rouland suggests that the 2007 number of vulnerabilities reported would have been higher if a black market willing to pay up to $100,000 (68,766 euros) to computer experts who find such threats and sell the information to criminal gangs eager to exploit them hadn't emerged.

Richard Jacobs, Chief Technology officer of Sophos PLC, questioned how much difference undisclosed vulnerabilities make for companies, governments and everyday computer users since corporate technology staffs often take months or years to patch even widely publicized holes.

Toby Weiss, CEO of Application Security Inc., said the drop in total vulnerabilities was less important than ISS's findings that critical security holes that let an outside attacker do the most damage on a computer network increased by 28 percent in 2007. Weiss noted that counting the total number of vulnerabilities is old-school thinking.

Some security researchers are afraid that software vendors are buying information on the vulnerabilities themselves so they can fix them without anyone noticing. "It is profitable not to publicly report a vulnerability" says Rouland. Consequently, there is no way to tell how many security vulnerabilities go undocumented.

Visit Bill's Links and More for more great tips, just like this one!

Rate this article: 
No votes yet