IBM: Security Vulnerabilities, Unpatched Flaws on the Rise

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Software security vulnerabilities are proliferating, but plenty of vendors are potentially leaving their users at risk by not issuing patches, according to a new report from IBM's X-Force security research unit.

In its 2010 Mid-Year Trend and Risk Report, IBM X-Force tallied 4,396 new vulnerabilities during the first six months of the year, up 36 percent from the first half of 2009.

But IBM (NYSE: IBM) also found that the percentage of unpatched flaws is also growing, up slightly from a year ago.

"Over half, 55 percent, of all these disclosed vulnerabilities had no vendor-supplied patch at the end of the period," the report said. That's compared to 52 percent of known vulnerabilities lacking a vendor-supplied patch by the middle of 2009.

In particular, IBM said Sun Microsystems (now owned by Oracle), Microsoft and Firefox browser vendor Mozilla were among the top software vendors who haven't released patches to fix known vulnerabilities.

The midyear 2010 report stands in contrast to IBM's vulnerability data from a year ago.

"We were surprised in this half-year reporting," X-Force manager Tom Cross told InternetNews.com. "At the end of 2009, we were down around 11 percent in previous-year vulnerability reporting. The fact that we were up this year has brought with it an increased workload for us, as well."

Cross added that the increase in vulnerability reports represents, in one sense, software vendors doing a better job at identifying and mitigating security vulnerabilities. However, it's not just a case of security vendors deciding to do a better job at reporting: Threats are also on the rise, prompting them to take stricter measures when it comes to handling potential security risks.

"There are actually more vulnerabilities out there," Cross said. "As security concerns continue to become more mainstream, we are seeing this rise in reported vulnerabilities. Vendors are making a conscious effort to put secure design and responsible reporting into the products they build."

Still, while vendors may be getting better at reporting, many still remain slow when it comes to fixing known flaws.

IBM said that the top vendor with unpatched vulnerabilities was Sun at 24.0 percent, followed by Microsoft (NASDAQ: MSFT) at 23.2 percent and Mozilla at 21.3 percent.

Cross explained that the total unpatched rate includes both non-severe and critical issues. Spokespeople from the three companies did not return requests for comment by press time.

IBM also reported that while Adobe (NASDAQ: ADBE) has an unpatched vulnerability rate of only 2.9 percent, the X-Force report identifies exploitation of Adobe's PDF format as a particularly hot issue this year, with exploits on the rise.

"The varying patch rate of each vendor may or may not have influence on what attackers are trying to accomplish with the latest methods," Cross said. "Certainly there are exploits that target Mozilla, but PDF attacks are the most popular based on market share. If you look into browser market share, you can see that Mozilla Firefox only has 24 percent of 2010 market share, in comparison to Internet Explorer versions, which take around 61 percent of market share. Since all browsers work with Portable Document Formats (PDFs) it makes the end target much more ubiquitous."

In Adobe's favor, Cross added, is that IBM has seen Adobe over the past year take a more proactive, aggressive role in dealing with attacks and in developing possible future sandbox technology that could help to mitigate current vulnerabilities.

Still, he said that in the report, IBM recommends that Action Script (Adobe's extended version of JavaScript) be disabled in PDF documents, as well as other multimedia formats that might be embedded. That could help alleviate some of the risk with little impact on users, since these aren't features normally in use in enterprises, Cross said.

Cross noted that IBM's threat data comes from its X-Force Database, which he described as the result of thousands of hours of work by X-Force researchers and developers. Much of the data is incorporated into IBM's own products, he added.

Sean Michael Kerner is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.

Follow eSecurityPlanet on Twitter @eSecurityP.