Many corporations use off-the-shelf applications riddled with non-patched vulnerabilities or custom web applications that host unpatched vulnerabilities, according to a new research report from IBM ISS.

In fact, during 2008, of all vulnerabilities related to web applications, 74 percent had no patches available for them, according to the annual X-Force Trend and Risk Report, released Monday. The study also found that attackers have turned their focus to new types of exploits, such as malicious links to Adobe Flash and PDF documents.

Moreover, during the fourth quarter of 2008 alone, IBM traced a 50 percent increase in the number of malicious URLs hosting exploits – more than found in all of 2007, according to the report. Thus, large scale and automated SQL injection vulnerabilities that emerged early last year have continued unabated. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen last summer.

“Attackers are building SQL injection code into automated tools that scan for vulnerable websites, putting in redirects to malicious servers, or trying to incorporate malware into corporate web sites,” said Holly Stewart, X-Force threat response manager for IBM Internet Security Systems.

IBM claims that 50 percent of all vulnerabilities discovered during the past three years have no patch available for them today. That translates into a lot of vulnerable web sites.

“The purpose of these automated attacks is to deceive and redirect web surfers to web browser exploit toolkits,” said Kris Lamb, senior operations manager, X-Force Research and Development for IBM ISS. “It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed.”

For the report, IBM looked back at application vulnerabilities disclosed in the past three years, and checked to see whether vendors fixed them. In other words, the number of vulnerabilities was compared to the number of patches made available by vendors to fix problems.

“A vendor does not always release a patch when a vulnerability is disclosed by independent researchers around the world,” Stewart said. “So even if users wanted to fix the software, vendors have not always provided a way for it to be done.”