Phishing, SQL Injection Attacks Surged in 2009
IBM's X-Force security report finds that hackers have mastered the art of attacking Web browsers and document readers, even though application security has improved.
Hackers continued to have great success taking advantage of vulnerabilities in applications, such as Adobe Systems' Acrobat, and Web browsers from Mozilla and Microsoft to compromise unsuspecting users' machines or data, according to IBM's annual X-Force Trend and Risk Report.
That's in spite of an overall decline in the number of new software vulnerabilities last year, IBM said.
Big Blue's security research and development group reported that in 2009, the total number of bugs in document readers and multimedia applications surged 50 percent, leading to a dramatic increase in phishing attacks targeting banks and other financial services providers during the second half of the year.
For the year, IBM X-Force researchers identified 6,601 new vulnerabilities, an 11-percent decline from 2008.
Three of the top five malware Web exploits were found in Adobe (NASDAQ: ADBE) PDF files with the other two found in Adobe's Flash and a Microsoft ActiveX control that lets users view a Microsoft Office document in Internet Explorer. Adobe in January issued a patch for a critical PDF zero-day vulnerability that hackers were using as a launching pad for a variety of spamming and malware endeavors.
Application security vulnerabilities
The IBM report found that more than half of the client-side vulnerabilities ranked as either "critical" or "high" in severity affected just four vendors: Microsoft, Adobe, Mozilla, and Apple. On average, vendors managed to patch 66 percent of these documented vulnerabilities, but Apple had the worst patch rate at 38 percent.
"Despite the ever-changing threat landscape, this report indicates that overall, vendors are doing a better job responding to security vulnerabilities," Tom Cross, manager of IBM X-Force Research, said in a statement. "However, attackers have clearly not been deterred, as the use of malicious exploit code in Web sites is expanding at a dramatic rate."
BlackBerry maker Research In Motion, Cisco Systems (NASDAQ: CSCO), Adobe and Hewlett-Packard (NYSE: HPQ) were characterized as having done a "stellar" job patching known security flaws. For instance, Adobe overhauled its patch update process to help keep end users better up-to-date and aware of vulnerabilities in a much more streamlined and automated way.
The overall good news in application vulnerability trends was offset by the fact that new malicious Web links exploded during the last year, growing 345 percent, according to IBM X-Force.
"This trend is further proof that attackers are successful at both the hosting of malicious Web pages and that Web browser-related vulnerabilities and exploitation are likely netting a serious return," the report said.
Forty-nine percent of all vulnerabilities are related to Web applications, with cross-site scripting (XSS) attacks surpassing SQL injection to take the top spot. Worse, two in three Web application vulnerabilities had still not been patched by the end of the year, IBM said.
The report found that sophisticated phishing attacks targeting financial data and online banking customers rose dramatically in the second half of 2009 with Brazil, the U.S., and Russia overtaking Spain, Italy, and South Korea as the top countries of origin for these attacks.
The majority -- 61 percent -- of phishing e-mails discovered in 2009 purported to be from financial institutions and another 20 percent were e-mails from bogus government organizations, such as the IRS.
Finally, SQL injection attacks, the bane of any IT administrator's existence, continued to escalate at a disturbing rate.
IBM X-Force said it was seeing more than 1 million SQL injection attacks a day in 2009, compared to roughly 5,000 a day in 2008. Researchers attributed this surge to the prevalence of automated tools used by hackers to find poorly secured Web sites.
The security team claims that it has cataloged more than 48,000 security vulnerabilities since it began analyzing and researching vulnerability disclosures in 1997.
By Paul Rubens
February 25, 2010
SQL injection attacks pose a massive potential threat to your organization. Learn ten ways to prevent or mitigate them.