IBM: Public vulnerabilities are tip of the iceberg

Total number of security vulnerabilities is far greater than the flaws that are disclosed publicly, claims IBM's Internet Security Systems division

IBM's Internet Security Systems division has warned that there is a "colossal difference" between the number of publicly disclosed security vulnerabilities and the number of vulnerabilities that are discovered but not publicly disclosed.

Internet Security Systems' director of security strategy, Gunter Ollmann, wrote in his blog that although ISS researchers had analysed just over 7,000 publicly disclosed vulnerabilities last year, the number of new security vulnerabilities found in code could be as high as 139,362 per year. Ollmann arrived at this estimate by taking into account vulnerabilities that have been disclosed to a software vendor and are currently undergoing remediation, and vulnerabilities discovered internally by a vendor and patched silently.

He added that zero-day vulnerabilities may have been purchased by organisations from security researchers, which are then released under non-disclosure agreements to that organisation's customers. Other organisations and hackers also stealthily use zero-day vulnerabilities to produce malware, according to Ollmann.

According to Ollmann, vulnerabilities that have been discovered under contract — for example, through penetration testing — plus vulnerabilities discovered by researchers which are deemed "too lame" and are consequently never disclosed to the vendor, and vulnerabilities that affect non-English software that subsequently can't be understood by some analysts, all add together resulting in "a colossal number" of total vulnerabilities. 

However, some security experts questioned Ollmann's definition of known and unknown vulnerabilities. Greg Day, UK analyst for security vendor McAfee, told ZDNet.co.uk: "What [Ollmann] is classing as new and unknown vulnerabilities are really processes by which they become known." Day added that while penetration testing does reveal vulnerabilities, these are never made public and are patched internally, reducing the risk of an exploit.

Andy Buss, senior analyst for analysis firm Canalys, pointed out that many internal systems weren't directly exposed to the internet, and said the risk stated by ISS needed to be "taken with a pinch of salt". However, he added that ISS's estimate of the number of undiscovered vulnerabilities was "conservative".

"IBM ISS are likely to be being conservative with [139,362] given how much in-house software never gets tested," Buss told ZDNet.co.uk. "In my view, the number is probably way higher than that."

McAfee's Day said he wouldn't like to put a figure on the number of undisclosed vulnerabilities. "The simple reality is there's so much code — in applications, in systems and infrastructures, there's a huge potential to be capped or tested. I wouldn't like to say whether [139,362] is high or low," he said.