Number of reported vulnerabilities spiked in 2010Last year saw huge increases in the number of documented vulnerabilities and public exploit releases, according to the IBM X-Force 2010 Trend and Risk Report, released last week.
A total of 8,562 vulnerabilities were documented in 2010, the greatest number of bugs ever disclosed during a single year. The number marked a 29 percent increase from 2009, according to the report.
The increase is partly a reflection of increased efforts to find and eliminate vulnerabilities through better software development and quality assurance process, Tom Cross, threat intelligence manager for IBM X-Force, told SCMagazineUS.com.
Companies often find vulnerabilities in their software while going through the process of improving their designs, he said. When this happens, the “responsible and accepted practice” is to issue a public advisory informing customers about the issue and how to obtain a fix.
“We track these advisories and have seen a significant increase in 2010 versus 2009,” Cross said. “Companies are paying more attention to security issues. They are finding and fixing more vulnerabilities in their products. We hope it means in the future that the software we are using is more secure at the outset and will need less patching.”
For now, though, the large spike translates to more work for those who defend enterprise networks, Cross said.
According to the report, the number of public exploit releases increased 21 percent from 2009 to 2010, a byproduct of the rise in vulnerabilities.
Most exploits were released on the same day as or in conjunction with bug disclosures, the report found. Some, however, were released months after initial public disclosure, an indication that attackers privately were exploiting the flaw for some time, even, in some cases, when a vendor-provided fix was available.
“The exploit code only emerges publicly after its usefulness to the attackers has diminished,” the report states. “This happens slowly over time as more and more vulnerable hosts are patched or upgraded.”
Cross said organizations must ensure they are fully aware of all the endpoints, systems and software in their environment, and know which patches are available.
“It seems basic, but in a complicated environment that can be very challenging,” he said.
On a positive note, the report found that spam volumes leveled off toward the end of the year, and the number of phishing attacks decreased.
However, cybercriminals began relying more heavily on more targeted phishing attacks, indicating that the are focusing on “content rather than volume,” according to the report. Spear phishing emails often are carefully crafted to appear legitimate to an intended target, and they contain malicious attachments or links.
“The numerous, high-profile targeted attacks in 2010 shed light on a crop of highly sophisticated cybercriminals, who may be well-funded and operating with knowledge of security vulnerabilities that no one else has,” Cross said.