IBM’s X-Force: No Telling How Many Unpatched Web Threats Are Out There

During the first half of 2010, more than 4,300 new disclosures of software security issues came to light. That’s according to the mid-year report issued by IBM’s special X-Force security research team. What’s perhaps a bit more disturbing is how many of those vulnerabilities remain unfixed.

More than half of the vulnerabilities identified during the report period, 55 percent, had no vendor-supplied patch at the end of the first half of the year, IBM researchers found.

Leading the pack with the highest percentage of unpatched security issues was Sun Microsystems, with 24 percent of identified security issues disclosed during the first half of the year unpatched at its midpoint. Microsoft tallied 23 percent, and Firefox’s maker, Mozilla, came in third at 21 percent. For its part, IBM reported its own 10 percent rate of unpatched vulnerabilities during the first half of 2010.

Web Apps Most Dangerous

Among the types of security threats lurking on the Internet, Web application vulnerabilities continued to lead, according to the report.

While Web application vulnerabilities won the numbers game — and are continuing to proliferate — we may really have no idea how extensive the problem is, the report’s authors noted. That’s because custom-developed Web applications were not included in IBM’s research, and thus their vulnerabilities were not counted.

The majority of Web apps are custom developed, Tom Cross, manager of X-Force Advanced Research with IBM, told TechNewsWorld. This means that they are built by enterprise personnel or built by personnel contracted by enterprises.

Because their vulnerabilities may never be publicly disclosed, which is the criterion IBM uses for its reporting, custom-developed apps may represent a much larger group of security issues than enterprises suspect.

Two Steps Crucial

“The Web is the major attack vector for malware coming into a company’s environment,” Chester Wisniewski, senior security analyst with Sophos, told TechNewsWorld, noting that IBM’s findings very much mirror his own firm’s research.

Enterprises first need to make sure that patches are getting deployed as soon as they are available from vendors, Wisniewski recommended.

Then, they need to consider whether they have many unnecessary channels open to the Internet. For example, a company can choose one media player and still allow employees to listen to music on their computers but drastically minimize risk.

Another technique is to look carefully at which Internet client software on employees’ computers is allowed to have two-way communication on the Internet; Java is a good example, Wisniewski saidd.

PDF, JavaScript Present Newer Threats

Enterprises are facing a more complex type of attack in the form of covert methods, said IBM. Embedding JavaScript in Web pages and document files is one such method. Exploits using Web browsers as their primary channel continue to rely heavily on PDF-based methods. The infamous Zeus and Pushdo botnets were such attacks.

Phishing has dropped dramatically as an attack technique; it’s down 82 percent since peaking last year. However, financial institutions continue to be plagued by phishing attacks — nearly half of phishing emails were targeted toward them.

Enterprises that conduct others kinds of financial transactions — such as credit card companies, online payment institutions, and government organizations — account for the majority of the other half of phishing attacks.

Two very popular ways that enterprises are considering reducing their total IT costs are coming under increased scrutiny in the security arena. Cloud computing and virtualization are the trends that enterprises need to watch as they strategize future security efforts, said IBM.

In particular, sharing computing workloads that may have different security requirements on the same hardware may present security risks. More than 35 percent of security vulnerabilities that involve server virtualization are the kind that allow the compromised virtual system to access other systems on the same server.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Kimberly Hill
More in Security

Technewsworld Channels