Year after year, buffer overflows have been a major source of software security issues, ranking as a top vulnerability throughout many of the last 25 years, according to a recent analysis from Sourcefire. In a report analyzing the entire CVE and NVD databases, which date back to 1988, Sourcefire senior research engineer Yves Younan found that vulnerabilities have generally decreased over the past couple of years before rising again in 2012. Younan suggested that efforts to improve security through the use of tools such as static analysis have also helped reduce the number of issues with high severity classifications.
Top vulnerability types
The overall number of vulnerabilities saw rapid growth from 1988 to 2005, peaking in 2006 the report noted. Since 2006, there was a steady decline until 2012, which experienced a return to 2008-2009 levels. In terms of high severity vulnerabilities (those with a CVSS score of 7 or higher), there was a consistent increase until 2007, and there has been a steady decline since. Taken as a percentage of overall disclosures, high severity vulnerabilities reached their lowest level in 2012, accounting for just 33.33 percent of incidents.
Looking only at critical vulnerabilities (those with a CVSS score of 10), however, 2012 experienced a spike, both in terms of overall numbers and percentage of the whole. One of the reasons for the trends in severity is that the nature of common vulnerabilities has shifted slightly over the years. For instance, the low percentage of critical vulnerabilities in certain years could be tied to a large number of cross-site scripting (XSS) flaws, which are rarely critical.
In total, buffer overflow errors accounted for 14 percent of all vulnerabilities over the past 25 years, followed by XSS, access control, SQL injection and input validation vulnerabilities, respectively. Looking only at high severity vulnerabilities, however, buffer errors made up 23 percent of the total, while SQL injection flaws accounted for 20 percent, followed by code injection and access control problems (both 10 percent).
For critical vulnerabilities, buffer errors made up 35 percent of the total. Although many critical errors lacked information to provide classification, this data was enough for Younan's team to name the buffer overflow as "the vulnerability of the quarter-century."
Most commonly affected vendors and products
Among the surprises the study uncovered was the fact that the Linux kernel had the most CVEs reported of any product over the 25-year period, Younan told CSO Online. Additionally, while Adobe's Flash Player is often considered a major security offender, it did not rank among the top products for vulnerabilities. Part of the reason Linux ranked so highly is that its vulnerabilities are all considered part of a single product, while each version of Windows, for instance, is considered a new product. Other top products included Firefox, Mac OS X, Chrome, Windows XP and Internet Explorer.
Microsoft was the vendor with the most overall vulnerabilities, as well the most high severity vulnerabilities, according to the report. Trailing Microsoft in overall vulnerabilities were Apple, Oracle, IBM, Sun, Cisco, Mozilla, Linux, HP and Adobe, respectively. When only critical vulnerabilities were considered, Oracle was the top vendor, followed by HP, while Microsoft dropped to sixth place and Apple fell to 10th.
While the Android operating system is often seen as more of a threat than iOS, the iPhone overwhelmingly topped the list of mobile phone vulnerabilities, partly due to limited focus on security following its release. Apple has also had significant CVE growth in recent years, while Android, the current mobile leader, actually saw a decline from 2011 to 2012.
"One of Android's advantages is that it's based on Linux, so a lot of vulnerabilities have already been fixed," Younan told CSO, adding that there may be new problems in coming years as features are added.
In all cases, Sourcefire noted that vendors' increased attention to security could be correlated with reduced vulnerabilities. As vendors continue to reduce vulnerabilities and improve software security, methods such as source code analysis will be an important part of their success.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.