Vulnerabilities Abound in 2010

Volume 16 of the Symantec Internet Security Threat Report covers trends in the Internet security threat landscape during 2010. It has been an interesting year, to say the least. We saw vulnerabilities implicated in major events such as the Trojan.Hydraq Incident, the Stuxnet attacks, and numerous zero-day attacks.

Here are some highlights:

-          In terms of the sheer number of new vulnerabilities discovered, 2010 was a record year. At the time of writing, we documented 6,253 new vulnerabilities over the year.

-          The rise in vulnerabilities was influenced by an increase in the number of new vendors that were affected by vulnerabilities in 2010. In 2010, Symantec documented 1,914 new vendors that were impacted by vulnerabilities, compared to 734 new vendors in 2009.

-          This also means that the total number of vendors reporting vulnerabilities has increased, along with the number of security researchers reporting vulnerabilities.

-          Vulnerabilities affecting new vendors are a growth area for high severity vulnerabilities. Symantec documented a 591 percent increase in high severity vulnerabilities affecting new vendors in 2010 over the previous year. This is likely due to the combination of efforts from security researchers and new vendors to identify high severity vulnerabilities.

-          “Bug bounty” and vulnerability acquisition programs also likely influenced the rise of vulnerabilities. In 2010, Google started its own bug bounty program to reward security researchers for discovering vulnerabilities, following the approach used by Mozilla with its own bug bounty program that started back in 2004. These types of programs collectively released 338 new advisories in 2010, an increase over the 180 such advisories in 2009.

For more vulnerability highlights and other insights into the threat landscape in 2010, check out the latest Symantec Internet Security Threat Report.