According to a new report from IBM (NYSE:IBM), 2010 was a good year — for new security vulnerabilities.
The annual IBM X-Force 2010 Trend and Risk Report reveals that in 2010, there was a 27 percent year-over-year increase in the number of new security vulnerabilities. In total, IBM documented more than 8,000 new vulnerabilities in 2010.
“In conjunction with that there was also a 21 percent increase in the public release of exploit code that targets vulnerabilities,” Tom Cross, threat intelligence manager at IBM X-Force told InternetNews.com. “This data means that we were busier in 2010 than 2009, it’s also indicative of the progress that has been made.”
Cross noted that the increase in vulnerability reports is partly due to the amount of work that is going on in companies to identify software vulnerabilities.
Though the rising number of reported vulnerabilities can be seen in a positive light, there is another related trend that IBM is warning about. Cross noted that 44 percent of all security vulnerabilities did not have a vendor supplied patch by the end of 2010.
IBM did not however break down the patch data by type of application, as such it’s unclear as to which applications are the least likely to be patched. Previous X-Force reports have specifically named names of vendors that are quick or slow to patch.
“There is a window of opportunity that an attacker has to target vulnerabilities,” Cross said. “That window opens when a vulnerability is discovered and it closes when the system the attacker goes after has been patched.”
Cross added that public exploits are also sometimes released many days after a vulnerability has been disclosed.
“We think attackers develop exploits shortly after vulnerabilities are publicly disclosed,” Cross said. “Talking about the window of opportunity is important for vendors to make sure they deliver patches quickly and also to make sure that people that operate computer networks are installing the patches quickly.”
The IBM report does not however specifically identify which applications, users are patching quickly or not at all.
“We don’t have data on which pieces people are patching,” Cross said. “The way we were looking at the window of opportunity was around when the exploits were emerging publicly.”
Reports from both Qualys and Cisco earlier this year pointed the finger at Oracle’s Java, as the most likely technology to not be properly patched by users.
The IBM report has also discovered at least one other positive trend in the security threat landscape. Phishing attacks seem to be on the decline.
“Phishing attacks all but disappeared in 2010,” Cross said. “We still see a fair amount of them, but relative to the volumes that we were seeing in 2009 and 2008 there is less than a quarter of the volume of phishing attacks, so that may represent some progress.”
Cross suspects that phishers have moved on to other techniques, including ATM skimming, which can prove to be more effective. Overall, Cross suggest that it is critical for organization to be aware of what is running in their organization and what need to be patched.
“IBM has been working with partners in the industry on a standard called the Common Vulnerability Reporting Framework, which is an XML format for reporting security vulnerabilities,” Cross said. “We want to make security vulnerability disclosure easier to keep track off.”