Software Makers See A Rise in Opportunities for Attackers
Software made by Apple, Microsoft and Adobe Systems are the most vulnerable to malware attacks, according to IBM’s X-Force threat report for the first half of this year.
In total, the number of disclosed vulnerabilities during the first six months of 2010 increased 36 percent from the first six months of 2009, according to the report.
The IBM X-Force researchers analyzed and documented 4,396 new vulnerabilities reported by software manufacturers in the first half of this year. Apple accounted for 4 percent of all vulnerability disclosures, while Microsoft reported 3.4 percent, according to the report.
Although Apple has more vulnerabilities than Microsoft, it has been targeted less by hackers because there are fewer Mac users than PC users, experts say.
[Read also "'Viruses Are Winning': Malware Threat Outpaces Antivirus Software ."]
Adobe Systems ranked third in disclosed vulnerabilities with 2.4 percent of the disclosures in the first half of 2010 — up from ninth a year earlier — because of problems with Adobe Reader and Flash Player, according to the researchers.
However, the list of vendors with the fewest number of patched vulnerabilities was topped by Sun, Microsoft and Mozilla, while Apple took the fourth slot.
On average, 55 percent of the software vulnerabilities reported by vendors went unpatched by those vendors, compared to 52 percent a year earlier, according to the study.
Other highlights of the report include:
- More vendors report vulnerabilities in Web applications. Web application vulnerabilities accounts for 55 percent of all threats. However, the researchers said this is only the tip of the iceberg because their research did not take into account vulnerabilities in custom-developed Web apps.
- Enterprises are encountering more-sophisticated attacks on their computer networks, because sophisticated hackers are using methods that aren’t detected by traditional security tools.
- PDF vulnerabilities continue to rise as attackers develop new tricks, including the use of malicious PDF attachments to spread the Zeus and Pushdo botnets —networks of compromised computers (robots) used to perpetrate e-fraud and e-crime, two of the most harmful threats on the Internet today.
- Phishing activity – a type of Internet fraud in which the user is deceived into thinking a website is that of a trusted third party – declined significantly, but financial institutions remain the top targets.
The X-Force researchers also identified some trends to watch for attracting future attacks, including:
- Cloud computing: Security concerns remain a hurdle for organizations looking to adopt cloud computing. IBM recommends that organizations examine the security requirements of the applications they intend to host in the cloud, before they look for potential service providers.
- Virtualization: As organizations turn to service providers to host their applications, they should be concerned about having their data hosted on the same physical hardware as companies that have different security requirements. According to X-Force, an attacker with control of one virtual system may be able to manipulate other systems on the same machine.
