Security Vulnerabilities Spike 36 Percent In First Half Of 2010: Report

And the rapid proliferation of virtualized IT infrastructure, combined with growing adoption of cloud computing, could lead to even more significant increases in the number of IT security threats against businesses, according to the report from IBM's X-Force Research and Development team, a security research organization within IBM that's charged with tracking and analyzing IT security threats.

The X-Force Trend and Risk Report, released Wednesday, also said that 55 percent of the vulnerabilities discovered during the six-month period had no vendor-supplied patch as of mid-year.

On the positive side, businesses and organizations are doing more to identify and disclose security vulnerabilities, leading to more collaboration to find and eliminate vulnerabilities before hackers can exploit them, according to IBM.

The X-Force report "reveals that although threats are on the rise, the industry as a whole is getting much more vigilant about reporting vulnerabilities," said Steve Robinson, general manager of IBM security solutions, in a statement. "This underscores the increased focus among our clients to continue looking for security solutions that help them better manage risk and ensure their IT infrastructure is secure by design."

Sponsored post

The X-Force maintains a database of more than 50,000 computer security vulnerabilities and the team bases its reports on information it collects about intrusion incidents from sensors deployed on customer IT networks, from its global Web crawler and from international spam collectors.

On Tuesday Microsoft issued a security advisory to customers warning of a newly discovered critical attack vector leading to a known DLL (dynamic linked library) preloading vulnerability that could enable hackers to launch malicious code on Windows systems.

Web application vulnerabilities continue to be the leading -- and fastest growing -- security threat for most companies, accounting for more than half of the publicly disclosed threats. But IBM noted those threats could be just the tip of the iceberg because the numbers do not include custom-developed Web applications that can have their own vulnerabilities.

Businesses find themselves increasingly battling attacks using sophisticated techniques such as "JavaScript obfuscation" that embeds malware within document files and Web pages. The number of obfuscated attacks increased 52 percent in the first half of 2010, IBM said. PDF-based attacks, such as those used to spread the Zeus and Pushdo botnets, also spiked during the period, accounting for three of the top five browser exploits.

Just last week Google issued an update for Google Chrome that plugged 11 vulnerabilities, three of them rated "critical," in the Web browser.

The report noted, however, that phishing activity has declined "significantly," down 82 percent from the first half of 2009. The volume of phishing scams has fluctuated widely in recent years and financial institutions remain the top target, followed by credit cards, governmental organizations, online payment institutions and auctions.

Security remains a concern among many businesses debating whether to adopt cloud computing -- and with good reason. The report said businesses must carefully examine the security requirements of the workloads they plan to run in the cloud.

Likewise, as businesses push more processing to virtual server infrastructures, workloads with different security requirements could end up running on the same physical server. The X-Force report said 35 percent of vulnerabilities that impact server-class virtualization affect the hypervisor -- meaning an attacker that gains control of one virtual system could easily manipulate other systems on the same physical machine.