IBM Corp. has revised a mid year software security report it released last week, and restated some figures on software vulnerabilities that had put Google near the top of a list of vendors with the highest percentage of unpatched and critical software vulnerabilities.
Writing on its security blog over the weekend, Tom Cross, a manager on IBM’s X-Force security team, said that the company’s Mid-Year Trend and Risk Report got the numbers wrong when reporting on the number of unpatched and critical unpatched software holes attributable to major vendors.
The original report, as reported by Threatpost.com and other news outlets, listed search giant Google as the vendor with the highest percentage of critical and high software holes with no patch – fully 33%. Sun topped the list of software firms with the highest percentage of unpatched holes overall in that report, with 24% of vulnerability disclosures in the first six months of 2010 still without a patch.
Those reports prompted a protest from Google on a number of grounds. Security Team member Adam Mein noted on the company’s Security Blog that IBM’s 33% number referred to a single unpatched hole (out of three total). Even that issue – a stack overflow problem – was miscategorized as a security hole. Google requested that IBM revise its figures and IBM complied. In a post on the Frequency X, the X-Force blog over the weekend, X Force manager Tom Cross said the mistake was the result of inaccurate information aggregated from other sources, including vendor advisory pages.
A manual review of the data on unpatched security holes resulted in a reordering of the company’s Best and Worst Patchers list: Google dropped to the bottom of the list, with no unpatched security holes in the first half of 2010, while Sun dropped from the top of the list of vendors with the highest percentage of unpatched holes to the middle of the list – with a mere 8 percent of security holds unpatched as of mid year and no critical holes unpatched.
Microsoft moved up from the penultimate spot to top the list of vendors with the most unpatched holes in H2, with 23%, while IBM replaced Google at the top of the list for the highest percentage of critical, unpatched security holes with 29%, followed by Oracle with 22% of critical holes still open at the time IBM released its report. Threatpost.com has updated its original story to note the discrepancy in the data, as originally reported by IBM.
Both IBM and Google blamed the mix-up highlights problems with the way that vulnerability data is collected. With thousands of new holes reported each quarter, there is still no consistent format or guidelines to describe security holes and their severity, spotting independent verification of holes and intense pressure to make marketing hay from vulnerability data.