There were over 4,400 new security vulnerabilities in the first half of this year, according to the 2012 IBM X-Force Mid-year Trend and Risk Report.
At the current pace, 2012 could pass the all-time record high for new vulnerabilities, set in 2010. While the total number might sound daunting, it’s not a surprise to IBM researchers and it’s also not as bad as it might seem. Although the total number of new vulnerabilities are up, so too are patching rates. And the most common attack vulnerability, SQL injection, is actually on the decline.
“We have been seeing a trend of having a record year and then a pullback for the last five or six years,” Clinton McFadden, senior operations manager for IBM X-Force Research and Development, told eSecurity Planet.
IBM believes this is because vendors are generally now more responsible in disclosing risks to their users, McFadden said. Not only that, but vendors are quicker at supplying patches and mitigation options.
“Though there are more vulnerabilities being released, there is a conjunction between the amount of vulnerabilities being released every year and the amount of vulnerabilities that are patched rapidly and that’s a big win for administrators,” he said.
In the first half of 2012, 94 percent of all disclosed vulnerabilities across the top 10 software vendors already have a patch available, IBM reported.
SQL Injection Slide
In any given year, SQL injection tops the list as the number one software vulnerability. In the first half of 2012, however, the rate of new SQL Injection vulnerabilities appears to be leveling off.
“SQL injection has been rising for years. It’s now trailing off and we’re seeing other Web application vulnerabilities increasing,” McFadden said. “People understand SQL injection and are making fewer mistakes, and therefore it is providing fewer juicy targets.”
While the number of new reported SQL injection vulnerabilities is trending downward, that doesn’t mean attackers aren’t still trying to use known SQL injection attack vectors. McFadden warned there are attackers sweeping the Internet every minute of every day, throwing well known SQL injections at websites.
“The campaigns are still growing for SQL injection since it’s well known and the tools are cheap,” McFadden said.
XSS and Sandboxes
Unlike SQL injection, cross-site scripting (XSS) vulnerabilities and attacks show no signs of slowing.
“I believe that SQL injection and data protection is possibly an easier problem to solve than XSS and session hijacking attacks,” McFadden said. “I think that when it comes to sophistication, there is a challenge there.”
Sandbox technology, which is used to isolate processes in an application in an effort to minimize risk to the underlying operating system, is proving useful in reducing vulnerabilities, according to IBM.
Adobe embraced sandbox technology over the past year. Its Adobe Reader X program implements a process sandbox for PDF in an effort to reduce the usage of Adobe’s technology as an attack vector. McFadden said IBM’s mid-year report shows a correlation between the adoption and release of Reader X and the sandbox and a decline in Adobe exploits.
He added that Reader X is doing a good job of isolating PDF documents from the base operating system.
“There has been a major decline in the number of vulnerabilities and exploitation in the PDF document format,” McFadden said. “That doesn’t mean there are no more vulnerabilities in PDF; no one has squeezed that rag dry. It’s just that the cost of breaking out of the sandbox and attacking the OS is now just far too expensive.”