Press Release

CeBIT: Software Vulnerabilities Have Increased Drastically, HPI says

Hanover/Potsdam. Since 2011 there has been a dramatic increase in the number of software vulnerabilities reported worldwide. Based on an analysis carried out by the Potsdam Hasso Plattner Institute (HPI), there were nearly 6,500 vulnerabilities reported at the end of 2014. As shown in the overview presented by the computer scientists, the figures from a comparison spanning a 15 year period is therefore just below the peak levels determined in 2006 and 2008. At that time there were approximately 7,000 so-called vulnerabilities reported. At CeBIT in Hannover, HPI announced that the increase has been particularly evident in moderate software vulnerabilities, which reached an all-time high in 20014.

On the other hand, vulnerabilities at the highest degree of severity have shown a continual decline since 2008, according to HPI Director Prof. Christoph Meinel. The computer scientist attributes this development to the concerted efforts of manufacturers in recent years “to eliminate particularly the most critical vulnerabilities.” According to the HPI study, the impact of vulnerabilities is distributed between the software problems of availability, integrity and confidentiality at 12 to 14 percent, respectively. In nearly half the cases all three problem areas are affected together.

“Availability refers to the accessibility of the service,” said Meinel. Integrity describes the possible occurrence of unauthorized writing access, which can result in a change to the data or system. The category of confidentiality covers everything that has to do with accessibility to sensitive data, such as passwords.

According to HPI’s study, with 511 reported vulnerabilities, Windows XP software tops the list of operating systems with critical vulnerabilities. Apple’s MAC OSX system takes fourth place and Linux seventh place in the rankings. “Of course you also have to consider the role played by the popularity of the software,” said the IT security expert. If an operating system is commonly used, potential attackers study it more closely because the vulnerabilities can lead to more widespread damage.

In the rankings of critical vulnerabilities in applications, the first three places on the list are held by the browsers Internet Explorer from Microsoft (700 reports), Google Chrome (600) and Mozilla Firefox (570), with other software applications following a considerable distance behind.

“The display software for Internet content is becoming increasingly complex because websites handle various multi-media formats and additional dynamic contents more frequently than ever,” said Meinel. Consequently the danger of vulnerabilities is growing. Browsers are probably the most frequent target for hackers. Because users navigate with the browser through the Internet, it is an ideal starting place for attacks,” said the Potsdam scientists.

Browser Self-Diagnosis at CeBIT

HPI presents CeBIT visitors the corresponding database for IT attack analysis (https://hpi-vdb.de), where the lion’s share of the data on software vulnerabilities and problems, which is freely available in the Internet, is integrated and combined. Here there are currently more than 68,000 pieces of information on vulnerabilities in nearly 173,000 affected software programs from 15,000 manufacturers. Using the database, HPI can check the browsers of all Internet users - including CeBIT visitors - for any detectable vulnerabilities, which are often exploited by cyber criminals. The system detects the browser version, including commonly used plugins, and displays a list of the known vulnerabilities. This vulnerability analysis is demonstrated live for CeBIT visitors. HPI plans to extend the self-diagnosis to other installed software.

HPI: One of the Largest Exhibitors in Hall 9

Hasso Plattner Institute (HPI) is among the largest CeBIT exhibitors in the subject area of “Research and Innovation” at this year’s fair. The HPI computer scientists are presenting the results of their latest research and development in the world of “Big Data” for the “d!conomy“ – the word coined for the “digital economy,” which describes the transformation leading to a fully networked economy. At its booth area, encompassing more than 380 square meters, HPI shows, for example, how corporate decision-makers can draw on innovative real-time data support in their meetings.  HPI demonstrates the innovative possibilities for Big Data analysis not only in soccer but also in disease containment on a global scale. Some other topics that will be presented are new solutions on how to increase IT security and free online courses on information technology topics, which are open to everyone.

Note to the editors:

You can find detailed material (texts, photos, videos) at our CeBIT website: www.hpi.de/cebit. For the duration of the fair you can also find interviews with prominent CeBIT guest on the topic of German as an IT location at www.it-gipfelblog.de.

A Note On Our Methodology

Hasso Plattner Institute maintains a database for IT attack analysis. The so-called HPI-VDB gathers information from numerous, freely available vulnerability databases (for example the National Vulnerability Database NVD) and provides this data for queries in machine-readable form. This database is the result of an HPI, whereby information on all currently available vulnerabilities is required for attack detection. Based on the collected data it is possible to draw statistical conclusions about the nature and frequency of known vulnerabilities. One of these conclusions is taken up here.

In the analysis, conducted on the occasion of CeBIT, HPI explains that the number of publicly known vulnerabilities has been steadily increasing, especially in the case of vulnerabilities of medium-level severity. The rise of these publicly known vulnerabilities has most likely little or nothing to do with the fact that software has become less secure. There is in fact a greater likelihood that software has now become even more secure (through sandboxing or ASLR). The simple calculation of vulnerabilities alone does not provide a measure for software security. HPI would however like to present some possible reasons for this increase. One possible reason, from HPI’s perspective, is that a number of new and improved methods and tools are now being used to find vulnerabilities.  The popularity of the software and the security awareness of the software manufacturers also play an important role in this regard. A widely-used software also attracts the attention of security researchers and attackers, who in turn potentially find more vulnerabilities. Furthermore, many large manufacturers are now investing a great deal of time in an attempt to find vulnerabilities in their own products.

The classification of vulnerabilities is based on the free and open industry standard CVSS (Common Vulnerability Scoring System). Because the standard is widely used in the security community, it can be found in many vulnerability databases. The criticality is calculated, for example, by the influence of a vulnerability on integrity, availability, and confidentiality. A role is also played for instance by whether the vulnerability can be exploited remotely and also if such an exploit already exists. The CVSS score has a value of between 0 and 10, whereby 10 stands for the highest criticality. A value from 7.0 and up is considered critical. A vulnerability is therefore classified as critical if complete access to a system can be gained by a remote exploit, in other words if an attack with serious consequences can be carried out with relatively few requirement. A vulnerability that is on a medium-critical level of severity could, for example, also allow full access to a system, however the access allowed is difficult to exploit -  a public exploit is not possible and both physical access as well as authentication are necessary. However, it remains in the realm of possibility that a skilled attacker might still also be able to exploit a medium-critical vulnerability.

In its analysis HPI has only used data on vulnerabilities from public vulnerability databases. It was of course not possible to draw conclusions on how many unknown or even undiscovered vulnerabilities a software contains. Therefore it is not our intention to imply that the conclusions drawn here apply to all existing vulnerabilities.

Profile of the Hasso Plattner Institute

The Hasso Plattner Institute for Software Systems Engineering GmbH (https://hpi.de) at the University of Potsdam is Germany’s university excellence center for IT Systems Engineering. It is the only university institution in Germany offering the bachelor and master program in “IT Systems Engineering” – a practical and engineering-oriented study program in computer science, in which 470 students are presently enrolled. The HPI School of Design Thinking is Europe’s first innovation school and modeled on the Stanford University d.school. It offers 240 places yearly for a supplementary study.

There are a total of ten HPI professors and over 50 guest professors, lecturers and contracted teachers at the Institute. HPI carries out research noted for its high standard of excellence in its nine topic areas, as well as at the HPI Research School for PhD candidates, with its further branches in Cape Town, Haifa and Nanjing. HPI teaching and research focuses on the foundation and application of large-scale, highly complex and networked IT systems. The development and exploration of user-driven innovations for all areas of life is an additional field of importance. HPI always earns the highest positions in the CHE university ranking. Since the beginning of September 2012, HPI has offered openhpi.de, an interactive Internet educational platform. Its free online courses are open to everyone.