IBM put out a new report (embedded below) on security threats to enterprise computer networks today from its X-Force security research group. It found a 36 percent increase in security vulnerabilities, with Web applications being the main culprit. Web apps with security exploits accounted for 55 percent of all disclosed vulnerabilities.
One of the biggest threats are hidden attacks using Javascript. There was a 52 percent rise in such “obfuscated attacks” in the first half of 2010. The increased adoption of cloud computing and virtualization brings with it its own security threats. For instance, 35 percent of virtualization vulnerabilities affect the hypervisor, meaning that gaining control of one virtual machine can give attackers controls of other machines on the same system.
Another increasing source of attacks come from PDF exploits, which usually are downloaded unsuspectingly through links on Websites. Malicious PDFs spiked 37 percent, and those are just the ones that were detected. PDF exploits are being used to spread the Zeus and Pushdo botnets.
Interestingly, run-of-the-mill phishing scams seem to be down, with an 82 percent decline since their peak last year. But They are still the single biggest threat for financial institutions, which make up about half of all phishing targets, followed by credit cards, the government, online payments, and auctions.
The report also ranks the vendors by percentage of unpatched vulnerabilities. Sun, which is now owned by Oracle, tops the list with 24 percent unpatched vulnerabilities, compared to 2.6 percent last year during the same period. Microsoft is second with 23 percent, Mozilla is third with 21 percent, Apple is fourth with 13 percent, and IBM is fifth with 10 percent.
Update: It looks like IBM was forced to revise some of its numbers and methodology, and is itself now the company with the most unresolved “critical” security bugs with no patches over the past six months (29 percent). In terms of overall unpatched vulnerabilities (not just the critical ones), Microsoft now tops that list with 23 percent, followed by Mozilla (17 percent), Apple (12 percent), IBM (9 percent), and then Sun (8 percent). Oops.
IBM X-Force Vulnerability Threats 1H2010 http://d1.scribdassets.com/ScribdViewer.swf?document_id=36404495&access_key=key-1ua6bep9wz5el900ds3o&page=1&viewMode=list