IBM: Vulnerability Disclosures Hit New High in 2010

A new report from IBM vulnerability

In its annual X-Force 2010 Trend and Risk Report, IBM counted 8,562 vulnerability disclosures for the year -- the largest total ever. Forty-nine percent of the vulnerabilities disclosed in 2010 were Web application vulnerabilities. The majority of these were cross-site scripting and SQL injection issues. However, the report notes that this may only be the tip of the iceberg, since “many organizations develop third-party applications in-house that are never even reported publically and are not included” in IBM’s tally.

“The main challenge in implementing a more secure software development approach is making sure that the teams within a company who are pursuing this have the right level of support from the rest of the organization,” Tom Cross, threat intelligence manager at IBM X-Force, wrote in an e-mail to CRN. “Software security teams should start small and introduce changes that will have a measurable impact with minimal disruptions to existing workflows. It’s important to make sure that the whole organization sees the value of these efforts or they will not be as successful.”

While IBM described vendors as being diligent in releasing patches, at least 44 percent of all the vulnerabilities disclosed in 2010 had no corresponding patch by the end of the year.

“We see exploit code being released onto the Internet months or even years after the public disclosure of the vulnerability those exploits target,” Cross said. “X-Force believes that these exploits are being used in private to launch attacks and are only released to the public after they are no longer valuable as attack tools. This indicates to us that there are vulnerable systems out on critical networks that are still not patched, months after patches have become available, and attackers are targeting those systems successfully.”

In order to address this problem, he said, organizations need more comprehensive endpoint management.

“IT organizations need to know every system on their networks, what software is on those systems, and what vulnerabilities impact that software,” he told CRN. “In a complex, modern computing environment having total control over endpoints is more challenging than it might sound, but this is one of the things that we work with our clients to enable them to do effectively.”

While the company notes that the number of malware attacks against mobile devices remains small, it also found that the number of mobile OS flaws and exploits has grown significantly since 2006. The biggest management challenge posed by mobile devices is ensuring the same level of protections exist on those devices as on other endpoints, Cross said, which requires a number of different tools and policy configurations.

“The control that app stores afford platform vendors has greatly reduced the amount of malicious activity that X-Force thinks would otherwise be happening,” he said. “Malicious apps can be rapidly pulled down and even uninstalled from devices that have them. Widespread exploitation is only going to be motivated by a business model that affords attackers an opportunity to make a profit by infecting large numbers of mobile devices...However, it’s important to recognize that mobile devices could be subject to targeted attacks by more sophisticated players who are motivated by a desire to steal information from an organization or use VPN connectivity to access their corporate networks.”