Gunter Ollmann, a security director at IBM, says most people grossly underestimate the number of vulnerabilities in software they're using at home and at work. He says the 7,247 vulnerabilities that were disclosed last year were just the tip of the iceberg:
The issue, though, is that he estimates that there also were 132,115 undisclosed vulnerabilities discovered last year. That means only 5.48% of them were disclosed to the public.
"To be sure, 139,362 new vulnerabilities in a single year is a colossal number, but is it wrong?" asked Ollmann in his blog entry. "Too many people underestimate the number of vulnerabilities in the software they use at home and in the enterprise office. Public vulnerability disclosures provide only a small window into the total number of vulnerabilities uncovered on an annual basis."
What does that mean to the IT or security manager trying to protect their network?
"If you're basing your protection strategy upon keeping up solely with public vulnerability disclosures, you're missing almost 95% of the vulnerabilities actually out there (this year)," said Ollmann. "If your defense systems are designed to protect against specific vulnerabilities (i.e. signature-based), it probably means that it was designed to protect a subset of publicly disclosed vulnerabilities. Preemptive protection engines are needed for the remaining 97% of annual vulnerabilities."
