Monday, November 3, 2008

Decrease in vulnerabilities: a myth

Joseph Tartakoff just published a statistics about the number of vulnerabilities in Microsoft products. They have decreased by 38% in six months. That seems to be good news, for sure, yet I would like to underline two not-so-good elements of explanation about it:
  1. It's possible that the number of vulnerabilities decreased simply because the guys looking for vulnerabilities (either white, grey or black hat) don't focus on the operating system that much anymore. Online applications have come to replace a lot of our previous applications.
  2. It's possible that the numbers don't reflect the actual numbers of vulnerabilities, because found vulnerabilities are sold to the underground of black hats, and not published in the open.
Furthermore, Joseph Tartakoff emphasizes on the fact that Vista gets fewer vulnerabilities than XP. This is quite normal as the very low adoption rate of Vista makes it a less interesting target of analysis both for security guys and attackers.

I am quite skeptical about the interpretation of whatever statistics of vulnerabilities. Except if the numbers were zero or infinite, I don't think we can get something productive out of it.