Symantec recently published their 2011 Threat report. I always find this an interesting read and a worthwhile read. But I have a pet peeve with a common mis-classification of vulnerabilities as threats. These two items are distinct, but related items: threats will often exploit vulnerabilities to achieve their goal. While related, vulnerabilities are not threats and mixing the two confuses the conversation.
Symantec is not oblivious to this fact as they carefully keep this distinction in mind when writing this report. In sections referring to vulnerabilities, they do not mix the term vulnerability and threat. But the report title is “Internet Security Threat Report”. Using the number of vulnerabilities discovered in 2011 as a metric to indicate the Threat trend is not appropriate.
There is still a place to discuss vulnerabilities in this report; in particular what types of vulnerabilities are being targeted by threats is a very interesting analysis I would like to see more of. But remove the vulnerability count off the headline graphics and don’t use it as a measure of threat. Vulnerabilities are not threats and they are not risk. Vulnerabilities are weaknesses potentially exploited by threats.