IBM report shows new flaws skyrocket in first half of year

The number of new vulnerabilities in the first half of this year jumped 36 percent compared to the same period last year, an IBM X-Force report has concluded.

For its Mid-Year Trend and Risk Report, the research arm of Big Blue documented 4,396 new flaws from January to June, which ranks as the highest total ever to begin a year. At this pace, the number of bugs is expected to easily surpass last year's total of roughly 6,600.

Tom Cross, manager of X-Force research, said the spike is largely attributable to vendors taking security more seriously, in addition to the popularity of public exploit repositories, such as the Exploit Database. Both of these factors are encouraging researchers to disclose their finds. 

Cross added that the increase is not necessarily a bad sign for the security of software and hardware.

"It's a sign of progress," Cross told SCMagazineUS.com. "The vulnerabilities were there to begin with. Now we know about them, and there's a patch. It's a positive thing."

Still, more than half of the disclosures are still without a vendor-supplied patch, the report found. The biggest culprits are Sun, Microsoft and Mozilla, while Adobe, Novell and Cisco were the best at pushing out patches for publicly known vulnerabilities, the report said.

According to the report, malicious PDF activity continues to run rampant across the internet and now makes up three of the top five browser exploits in the wild.

Cross credits the rise as being caused by the increasingly fragmented browser market. By leveraging an Adobe vulnerability, malware authors earn a higher likelihood of infecting users, he said.

"If you have a vulnerability in Acrobat or Flash, everyone's got them [installed]," Cross said. "They run in all those browsers."

The report also highlighted the growing prevalence of JavaScript obfuscation, a slick tactic malcode writers use to push their wares on unsuspecting computer users. The technique works by encoding and hiding exploits from being detected by security products.

"This is standard procedure for launching an attack on the internet today," Cross said. "[Organisations] need to ask whether the security tools they're using in their environment are effective against obfuscated attacks."

The report also called to light the potential risks of virtualisation. X-Force researchers found that 35 percent of server virtualisation vulnerabilities affect the hypervisor, a thin layer of software that runs in the host machine and serves as the virtualisation engine.

Cross said the statistic should force organisations to think twice about sharing virtual workloads, which have different security requirements, on the same physical server.

See original article on scmagazineus.com