• The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
Menu
  • The Four Hundred
  • Subscribe
  • Media Kit
  • Contributors
  • About Us
  • Contact
  • IBM Tops List of Security Vulnerabilities, But What Does It Mean?

    September 23, 2015 Alex Woodie

    IBM has found itself atop many prestigious lists over the years–the holder of the most patents, the greenest company in IT, and the biggest server maker. But this month the cybersecurity research firm Secunia put IBM at the top of one list that Big Blue won’t be proud of: The list of software vendors with the most security vulnerabilities. But what exactly that means is the subject of some controversy.

    In its “Vulnerability Update” for the period for May through July, Secunia reported that IBM was the vendor with the most vulnerable products over the three-month period. It was the fourth straight time that IBM made Secunia’s list. In fact, since Secunia started publishing its quarterly “Vulnerability Update” in August 2014, IBM has been on the wrong end of the vulnerability gun every time.

    It’s not as if IBM’s huge Linux and Windows software business is taking the heat in the security kitchen. IBM i and i5/OS both made the dreaded top 20 list of products with the most vulnerabilities in the most recent quarterly report. Secunia recorded 32 security vulnerabilities in both OSes for the month of June, tying them for sixth on the list. Overall, IBM had nine products on the top 20 list for June; Microsoft had four.

    The IBM i family of operating systems were on Secunia’s radar in December 2014, when it tallied 22 security flaws shared by IBM i, IBM i5/OS, and IBM OS/400 (it lists them as separate products in the list). That month IBM had eight products in the top 20 list of products with the most security vulnerabilities; Microsoft had none. And in February 2015, Secunia listed 58 flaws impacting IBM’s Power Systems servers and another 41 flaws impacting the Hardware Management Console (HMC).

    The days of Windows and Linux being the only OSes making headlines with security vulnerabilities are over. “Operating systems are of course an interesting attack vector to anyone wishing to gain access to corporate infrastructure,” Secunia writes in its report. “Over the summer, Secunia has recorded vulnerabilities in Oracle Solaris, IBM i5/OS, and F5 TMOS amongst others–an ever-pertinent reminder to stay on top of products from all vendors, and not rest on your laurels once you’ve patched your Microsoft and your Linux.”

    Security vulnerabilities by vendor for the period from August 2014 to July 2015. Source: Secunia.

    What’s behind all the vulnerabilities in IBM products? It’s hard to say. 2014 was certainly a big year for security vulnerabilities, with the Heartbleed problem in the OpenSSL encryption library leading the way.

    In its first quarterly update, which covered the period from August 2014 to October 2014, Secunia reports that IBM had 4,000 vulnerabilities in its products in 2013, “which meant that IBM vulnerabilities accounted for 25 percent of the total number of vulnerabilities reported in 2013.” Nothing changed in 2014, Secunia says, adding that several IBM products made the top 20 lists.

    “Their position is largely due to the fact that IBM likes to bundle the products with third-party software–very often with vulnerable libraries like Java and OpenSSL,” the Danish security firm writes. “That these programs are bundled within the individual IBM products means that every single time a vulnerability is discovered and a patch released for e.g. Java, the corresponding IBM products need to be updated, too. First by IBM, and then by all IBM customers.”

    It notes that IBM frequently follows Oracle in patching. This is true of any problems with Java, which Oracle controls. If Oracle issues a patch for Java, IBM must re-issue that patch through its own security update process.

    Some security watchers are critical of Secunia’s approach to tallying security vulnerabilities, specifically how it counts a vulnerability in an underlying library like OpenSSL as a vulnerability in every subsequent product that contains that library.

    Brian Martin, a security researcher who goes by the name “Jericho,” is one of the more outspoken critics of Secunia’s techniques. In a recent blog post, Jericho takes Secunia to task for not using the U.S. government-funded Common Vulnerabilities and Exposures (CVE) database as its starting point for tracking vulnerabilities.

    “Not only does Secunia avoid using the minimum industry standard for vulnerability aggregation, they opt to use their own methodology, which they now know beyond doubt seriously inflates their ‘vulnerability’ count,” Jericho writes.

    “To be abundantly clear,” he continues, “a vulnerability in a third-party library such as OpenSSL is one vulnerability. It doesn’t matter how many other products use and integrate that code, the fundamental flaw is in the library. Counting each product that implements OpenSSL as a distinct vulnerability, rather than a distinct occurrence of a vulnerability, is wrong. Worse, it actually highlights just how poor their statistics are, if you do accept their flawed methodology, as it is heavily used among thousands of applications that Secunia doesn’t cover, even when a vendor like IBM issues numerous advisories that they miss. No matter how you cut it, their numbers are invalid.”

    To be sure, IBM is not the only vendor that bundles other software, including open source code, into its products. Oracle and Microsoft both follow this common industry practice, yet their security vulnerability counts were well below IBM’s for the past 12 months. Unless there are other factors affecting Secunia’s large vulnerability count attributable to IBM–such as a desire to target or defame IBM–the numbers would indicate that there is something else going on.

    RELATED STORIES

    IBM Patches More OpenSSL Flaws In IBM i

    Keeping Up With Security Threats To IBM i

    State of IBM i Security? Still Horrible, After All These Years

    IBM Patches BIND and OpenSSL Flaws in IBM i

    Heartbleed Exposes The Vulnerability Of An IBM i Mentality

    Heartbleed Postmortem: Time to Rethink Open Source Security?

    Heartbleed, OpenSSL, and IBM i: What You Need to Know

    IBM Patches Heartbleed Vulnerability in Power Systems Firmware

    Share this:

    • Reddit
    • Facebook
    • LinkedIn
    • Twitter
    • Email

    Tags:

    Sponsored By
    BCD SOFTWARE

    The Business Case for IBM i Green Screen Modernization
    IBM i ebook

                      Download this free IBM i ebook to learn about the top business reasons
                      for green screen modernization, including:

                      • Modern, browser-based look and functionality
                      • Improve workflows and access to information
                      • Increase end-user productivity
                      • Repurpose legacy applications
                      • Take advantage of mobile devices

                      You'll also see real-world examples that include screenshots and links to videos.

    Download the ebook now!

    Sponsored Links

    Quadrant:  Modernizing IBM i Spool File Design and Distribution with New Formtastic 10. Sept 24 Webinar
    Four Hundred Monitor Calendar:  Latest info on national conferences, local events, & Webinars.
    System i Developer:  Session Grid Posted: RPG & DB2 Summit - Chicago, October 20-22

    IBM Issues HiPER And Security Patches For V5R4 Six Signs Of The Long, Slow Decline Of ERP

    Leave a Reply Cancel reply

Volume 25, Number 47 -- September 23, 2015
THIS ISSUE SPONSORED BY:

ProData Computer Services
Fresche Legacy
BCD Software
Manta Technologies
Storagepipe

Table of Contents

  • Unifying Mobile and Web Development on IBM i
  • Stimulus Grants Are An IBM i Community Service
  • IBM Tops List of Security Vulnerabilities, But What Does It Mean?
  • CNX Looks Beyond RPG with Web Framework
  • RPG Creeps Up Language Ranking . . . VAI Puts POS Chips on Verifone . . . OpenLegacy Signs Partner In Brazil

Recent Posts

  • Big Blue Finally Brings IBM i To Its Own Public Cloud
  • Guru Classic: Triggers – Allow Repeated Change
  • Guru Classic: Who Needs Custom Perspectives In RDi?
  • Guru Classic: A Bevy of BIFs — %CHAR, %EDITC and %EDITW
  • Settling In With IBM i For The Long Haul
  • Domino And Notes 10 Finally Come To IBM i
  • Guru: Open Access To The Rescue
  • Four Hundred Monitor, February 11
  • IBM i PTF Guide, Volume 21, Number 6
  • More IBM i Predictions For 2019

Subscribe

To get news from IT Jungle sent to your inbox every week, subscribe to our newsletter.

Pages

  • About Us
  • Contact
  • Contributors
  • Four Hundred Monitor
  • IBM i PTF Guide
  • Media Kit
  • Subscribe

Search

Copyright © 2017 IT Jungle

loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.