IBM Tops List of Security Vulnerabilities, But What Does It Mean?
September 23, 2015 Alex Woodie
IBM has found itself atop many prestigious lists over the years–the holder of the most patents, the greenest company in IT, and the biggest server maker. But this month the cybersecurity research firm Secunia put IBM at the top of one list that Big Blue won’t be proud of: The list of software vendors with the most security vulnerabilities. But what exactly that means is the subject of some controversy.
In its “Vulnerability Update” for the period for May through July, Secunia reported that IBM was the vendor with the most vulnerable products over the three-month period. It was the fourth straight time that IBM made Secunia’s list. In fact, since Secunia started publishing its quarterly “Vulnerability Update” in August 2014, IBM has been on the wrong end of the vulnerability gun every time.
It’s not as if IBM’s huge Linux and Windows software business is taking the heat in the security kitchen. IBM i and i5/OS both made the dreaded top 20 list of products with the most vulnerabilities in the most recent quarterly report. Secunia recorded 32 security vulnerabilities in both OSes for the month of June, tying them for sixth on the list. Overall, IBM had nine products on the top 20 list for June; Microsoft had four.
The IBM i family of operating systems were on Secunia’s radar in December 2014, when it tallied 22 security flaws shared by IBM i, IBM i5/OS, and IBM OS/400 (it lists them as separate products in the list). That month IBM had eight products in the top 20 list of products with the most security vulnerabilities; Microsoft had none. And in February 2015, Secunia listed 58 flaws impacting IBM’s Power Systems servers and another 41 flaws impacting the Hardware Management Console (HMC).
The days of Windows and Linux being the only OSes making headlines with security vulnerabilities are over. “Operating systems are of course an interesting attack vector to anyone wishing to gain access to corporate infrastructure,” Secunia writes in its report. “Over the summer, Secunia has recorded vulnerabilities in Oracle Solaris, IBM i5/OS, and F5 TMOS amongst others–an ever-pertinent reminder to stay on top of products from all vendors, and not rest on your laurels once you’ve patched your Microsoft and your Linux.”
What’s behind all the vulnerabilities in IBM products? It’s hard to say. 2014 was certainly a big year for security vulnerabilities, with the Heartbleed problem in the OpenSSL encryption library leading the way.
In its first quarterly update, which covered the period from August 2014 to October 2014, Secunia reports that IBM had 4,000 vulnerabilities in its products in 2013, “which meant that IBM vulnerabilities accounted for 25 percent of the total number of vulnerabilities reported in 2013.” Nothing changed in 2014, Secunia says, adding that several IBM products made the top 20 lists.
“Their position is largely due to the fact that IBM likes to bundle the products with third-party software–very often with vulnerable libraries like Java and OpenSSL,” the Danish security firm writes. “That these programs are bundled within the individual IBM products means that every single time a vulnerability is discovered and a patch released for e.g. Java, the corresponding IBM products need to be updated, too. First by IBM, and then by all IBM customers.”
It notes that IBM frequently follows Oracle in patching. This is true of any problems with Java, which Oracle controls. If Oracle issues a patch for Java, IBM must re-issue that patch through its own security update process.
Some security watchers are critical of Secunia’s approach to tallying security vulnerabilities, specifically how it counts a vulnerability in an underlying library like OpenSSL as a vulnerability in every subsequent product that contains that library.
Brian Martin, a security researcher who goes by the name “Jericho,” is one of the more outspoken critics of Secunia’s techniques. In a recent blog post, Jericho takes Secunia to task for not using the U.S. government-funded Common Vulnerabilities and Exposures (CVE) database as its starting point for tracking vulnerabilities.
“Not only does Secunia avoid using the minimum industry standard for vulnerability aggregation, they opt to use their own methodology, which they now know beyond doubt seriously inflates their ‘vulnerability’ count,” Jericho writes.
“To be abundantly clear,” he continues, “a vulnerability in a third-party library such as OpenSSL is one vulnerability. It doesn’t matter how many other products use and integrate that code, the fundamental flaw is in the library. Counting each product that implements OpenSSL as a distinct vulnerability, rather than a distinct occurrence of a vulnerability, is wrong. Worse, it actually highlights just how poor their statistics are, if you do accept their flawed methodology, as it is heavily used among thousands of applications that Secunia doesn’t cover, even when a vendor like IBM issues numerous advisories that they miss. No matter how you cut it, their numbers are invalid.”
To be sure, IBM is not the only vendor that bundles other software, including open source code, into its products. Oracle and Microsoft both follow this common industry practice, yet their security vulnerability counts were well below IBM’s for the past 12 months. Unless there are other factors affecting Secunia’s large vulnerability count attributable to IBM–such as a desire to target or defame IBM–the numbers would indicate that there is something else going on.