Big software firms have fewer holes

HAVING TRAWLED through mountains of data, insecurity experts at IBM firm ISS reckon the biggest software firms account for a dwindling proportion of the "vulnerabilities" reported each year.

In a bog, ISS investigator Gunter Ollmann, says it's the small fry that are serving up holey software. For a variety of reasons, Ollman reckons that the Microsofts, IBMs and Ciscos of the world have tightened up their act.

"There are more and more software packages released every year by new software companies - many of them offer easier pickings for security researchers and automated discovery tools," he bogs.

The language of the bog is enlightening. Gunter talks of "researchers" searching for vulberabilities and notes that it is reports from these researchers that make up the data on which his postulations are based.

He says it's easier for a doughnut researcher to find a hole in Joe Bloggs' home-made shoot 'em up than in Microsoft's Orifice. And some of the software out there has been knocking about for a while now, so many of its holes have been plugged.

Whether malware writers find any of the holes is not clear. Nor is it clear what proportion of the published vulnerabilties is exploited by this nasty breed. Certainly researchers at insecurity firms dig up holes for a living and then tell the world about them in a bid to scare them into buying security software.

Of course, there may be billions of holes in Joe Bloggs' shoot 'em up, but is a maleware writer going to bothered to break into the two copies Joe sold at his local computer fair? Or would he rather craft an exploit for XP and break into millions of the world's PCs? Hang on while we go and have a little think about it. µ