Cybersecurity vulnerabilities in key corporate tools such as Web apps, JavaScriot, PDFs, are increasing dramatically, having reached record levels for the first half of 2010, according to security watchers on IBM's X-Force research and development team.
Overall, 4,396 new vulnerabilities were documented by the X-Force in the first half of 2010, a 36% increase over the same time period last year. Over half, 55%, of all these disclosed vulnerabilities had no vendor-supplied patch at the end of the period, according to the X Force's Mid-Year Trend and Risk Report.
Who really sets global cybersecurity standards?
Web application vulnerabilities continued to be the leading threat, accounting for more than half of all public disclosures, while covert attacks increased in complexity hidden within JavaScript and Portable Document Formats (PDFs) also are on the rise, IBM stated.
The X-Force details a number of problematic trends. From the report:
- Web application vulnerabilities continue to be the largest category of vulnerability disclosures. While Web application vulnerabilities continue to climb at a steady rate, these figures may only represent the tip of the iceberg of total Web application vulnerabilities that exist, as they do not include custom-developed Web applications which can also introduce vulnerabilities.
- Covert, hidden attack methods grew in frequency and complexity, especially involving JavaScript -- Enterprises are fighting increasingly sophisticated attacks on their computer networks, including Advanced Persistent Threats. These sophisticated attackers are employing covert means to break into networks without being detected by traditional security tools. JavaScript obfuscation is a particularly popular technique used by all classes of computer criminals to hide their exploits within document files and Web pages. IBM detected a 52% increase in obfuscated attacks during the first half of 2010 versus the same period in 2009.
- PDF exploits continue to soar as attackers trick users in new ways -- X-Force started observing widespread use of PDF-based exploits during the first half of 2009. Since then, it has captured three of the top five slots for browser exploits used in the wild. The most significant jump associated with PDF attacks in 2010 occurred in April, when IBM Managed Security Services detected almost 37 % more attack activity than the average for the first half of 2010. This spike coincided with a widespread spam campaign in which malicious PDF attachments were used to spread the Zeus and Pushdo botnets, some of the most insidious threats on the Internet today.
- Phishing activity declined significantly, but financial institutions remain the top target -- Phishing volume has fluctuated wildly over the past few years. The first half of 2010 has only seen a fraction of the phishing attacks that were seen at the peak in 2009, a decline of almost 82%. Despite this drastic decline, financial institutions are still the number one phishing target, representing about 49% of all phishing emails, while credit cards, governmental organizations, online payment institutions and auctions represent the majority of other targets.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories:
Recovery Act has bolstered energy technology, VP Biden says
Nasty auto robocaller forced to pay $2.3M, sell Mercedes
Astronomers spot largest collection of planets orbiting sun-like star
Open source tools at heart of DARPA's virtual satellite network
Philadelphia not showing any brotherly blogger love: City wants $300 license fee
NASA universe-watching satellite losing its cool
Group wants to protect privacy as electronic toll systems grow
Do we need a Federal law for electronics recycling?
NASA's head techie seeks brightest systems engineers of the future
FTC busts domain name scammers
