Software Vulnerabilities Section Highlights oo Vulnerability disclosures across the entire software industry decreased by about 5Â per-
cent in 2007, reversing a multiyear trend of increasing disclosures. Almost all of this decrease was observed in the second half of the year, which had the fewest disclosures since 2H05.
oo Despite the decrease, the number of new disclosures across the industry remains in
the thousands, with the number of disclosures in 2007 surpassing that of every other year in the study except 2006. The second half of 2007 also experienced a decline in the disclosure of vulnerabilities rated as High-severity, however, for the full year, Highseverity disclosures continued to grow relative to previous years.
oo The Common Vulnerability Scoring System (CVSS) used to score vulnerabilities in the
NVD was revised in 2007 to increase its accuracy, consistency, and applicability. Retroactively applying the new formula to vulnerabilities disclosed in previous years classifies a much higher percentage of vulnerabilities as High severity than was previously the case. The vulnerabilities disclosed in 2007 continue this trend, with High-severity vulnerabilities accounting for about half of the total number of vulnerabilities.
oo Vulnerabilities requiring a Low level of complexity in order to exploit accounted for
about half of all vulnerabilities disclosed in 2H07. Although this number is relatively large, the number has declined significantly from earlier periods.
Strategy, Mitigations, and Countermeasures oo The Microsoft TechNet Security Center at http://www.microsoft.com/technet/security
provides links to the latest security bulletins for Microsoft products, as well as other security resources, including the Microsoft Security Newsletter.
oo Both security vendors and IT Professionals should adjust their risk management pro-
cesses appropriately to ensure that operating systems and applications are protected. See the Security Risk Management Guide at http://www.microsoft.com/technet/ security/guidance/complianceandpolicies/secrisk/default.mspx for tips and assistance.
oo Organizations should participate in IT security communities to keep abreast of the
wide range of potential security issues they may face.
13