600 Security Vulnerabilities in Q1 2005

[This was originally published on the OSVDB blog.]


600 Security Vulnerabilities in Q1 2005
By Nate Mook, BetaNews
May 2, 2005, 5:04 PM

According to a study published Monday by the SANS Institute, more than 600 new security vulnerabilities cropped up in the first three months of 2005. Although Microsoft leads the top 20 most critical security issues, hackers are turning their attention to third party software such as media players and databases.

SANS says the new list represents only security vulnerabilities found or patched in Q1 2005. Although SANS usually issues a yearly Top20 list, the group has moved to quarterly updates to aid organizations in recognizing potential security issues that could affect them.

Vulnerabilities found or patched? This is an odd way to track vulnerabilities in a given time frame. Aside from that, 600 in Q1 expands to roughly 2400 in 2005, significantly less than previous years. The real question.. where did SANS get their statistics from?

Ginger & Photon

[This was originally published on the OSVDB blog.]

Recently at the CanSec West conference, Window Snyder from Microsoft gave a talk about Windows XP SP2 security internals. Looking past a bulk of the talk, one portion of it stuck out in the minds of many vulnerability researchers. Unfortunately, the press has only given it a small blurb in the various articles so far.

From http://www.theregister.co.uk/2005/05/09/microsoft_on_sp2_security_process/

Moreover, the company found and fixed two classes of vulnerabilities that have not been discovered elsewhere, she said.

“These are entire classes of vulnerabilities that I haven’t seen externally,” Snyder said. “When they found these, (the developers) went on a mission, found them in all parts of the system, and got rid of them.”

Snyder remained mum on the details, however, even giving the families of vulnerabilities fake code names: “Ginger” and “Photon.”

Two entire classes of vulnerabilities discovered and fixed, that have never been seen externally? This seems a bit difficult to believe to me. I recall over the last few years during various conversations and email discussions where I challenged someone to name the last class of vulnerabilities that surfaced. Not counting these, I believe it has been years?

Anyone have fun speculation regarding what Ginger and Photon might be? Could they be found nowhere else because they are native to Microsoft/Windows? Could it be a big PR gig to further promote trustworthy computing?