The annual IBM Internet Security Systems (ISS) security trends report published this week shows 7,427 software bugs were catalogued last year, an increase of 39.5% over the number of vulnerabilities identified in 2005.
IBM listed itself among the Top 10 vendors whose products accounted for 964 of the 7,424 disclosed software vulnerabilities. According to the report, the Top 10 vendors for last year, in descending order, are Microsoft, Oracle, Apple, Mozilla, IBM, Linux Kernal Organisation, Sun, Cisco, HP and Adobe Systems.
The report says 86% of the Top 10 vendors’ publicly disclosed vulnerabilities received a software patch.
The remaining balance of the 2006 vulnerabilities are ascribed to “other vendors,” and 65% of these software flaws were patched, according the IBM ISS report.
The 39.5% spike in the number of vulnerabilities can be attributed to the type of tools security experts use now to evaluate software, said Gunter Ollmann, director of the X-Force research and rapid-response division within Internet Security Systems. “The use of fuzzing technology in the automated tools can find where bugs lie,” Ollman said.
Automated fuzzing tools typically run scripts that are tuned to throw garbled data at an application and see how it handles it, revealing many unwanted code-execution risks. These are often catalogued as medium risks, rather than high or low-risk.