2010 smashes vulnerability records

[nsane.forums]

Busiest year yet for researchers and patchers, says IBM's X-Force

Vulnerability disclosures reached record levels in the first half of 2010,according to the latest report from IBM˜s X-Force security team.

The teams mid-year trend and risk report documented 4,396 disclosed software vulnerabilities in the first six months of the year, a 35 per cent increase on 2009. This was attributed to software vendors disclosing more data and the increased number of security researchers now focused on finding flaws in code.

Throughout the software industry people have got the message about computer security and are doing more to identify vulnerabilities and as a consequence we are seeing more, Tom Cross, manager at X-Force, told V3.co.uk.

So, paradoxically, code is actually getting more safe, but on the other side were seeing more exploits.

Of the 2010 disclosures by all software companies, over half still have no patch available, rising to 71 per cent for critical or high-ranking vulnerabilities. In the latter case, Google is the worst offender, with 33 per cent of these important flaws still unpatched.

However, by taking all flaws into account Sun is the worst offender, with 24 per cent of vulnerabilities unpatched.

For the first time in the reports history, web application vulnerabilities have reached 50 per cent of all code flaws reported. However, the report found that the number of problems related to ActiveX has fallen sharply, something Cross attributed to efforts by Microsoft and others to sort out the issues with the controls.

As for operating system vulnerabilities, Microsoft had the lions share of critical flaws disclosed so far this year, with Linux, Apple and HP-UX all seeing significant falls. However, if all types of vulnerability are taken into account, Apple has had the worst year so far, with Linux following closely behind.

On the spam front, volumes have continued to grow rapidly and now stand at their highest level ever. However, in some good news, spammers have been forced to change tactics by government action in China.

China topped the tables of spam-hosting nations throughout last year, but the Chinese government has cracked down on company registrations and hosting, giving only verified operators based in the country a licence to do business.

You can see the results clearly in our data, the volume of domains hosted in China dropped off a cliff, Cross said.

This is a huge pat on the back for the people who run Chinas top level domain infrastructure.

As a result of the change, Russia now hosts around two-thirds of all spam domains, but Cross warned that similar government action there would have limited success due to the number of countries able to host spammers.

He added that one of the biggest threats on the horizon was state-sponsored hacking, or Advanced Persistent Threat (APT) as it is sometimes referred to by the military and others.

This involves highly customised attacks launched against key targets, including governments and increasingly private sector companies that deal with commercially valuable information.

“I would expect most, if not every, government is considering state-sponsored attacks, he said.

We used to talk about cyber warfare as a futuristic concept but its a reality.

Cross recommended that companies identify those employees with access to sensitive information, give them intensive training on how to avoid falling victim to an attack, and include a contact in the IT department to liaise with over suspicious communications.

As for more general threats, the riskiest area of the internet for users is pornography sites. Around seven per cent of web sites contain pornographic material and they are the most likely areas to find malware.

“It’s long been the case that if you stroll through the red light district of the internet you are more at risk from attack, Cross commented.

View: Original Article