Incident Response, Malware, Network Security, TDR, Vulnerability Management

IBM report shows new flaws skyrocket in first half of year


The number of new vulnerabilities in the first half of this year jumped 36 percent compared to the same period last year, an IBM X-Force report has concluded.

For its Mid-Year Trend and Risk Report, released Wednesday, the research arm of Big Blue documented 4,396 new flaws from January to June, which ranks as the highest total ever to begin a year. At this pace, the number of bugs is expected to easily surpass last year's total of roughly 6,600.

Tom Cross, manager of X-Force research, said the spike largely is attributable to vendors taking security more seriously, in addition to the popularity of public exploit repositories, such as the Exploit Database. Both of these factors are encouraging researchers to disclose their finds. 

Cross added that the increase is not necessarily a bad sign for the security of software and hardware.

"It's a sign of progress," Cross told on Wednesday. "The vulnerabilities were there to begin with. Now we know about them, and there's a patch. It's a positive thing."


Still, more than half of the disclosures still are without a vendor-supplied patch, the report found. The biggest culprits are Sun, Microsoft and Mozilla, while Adobe, Novell and Cisco were the best at pushing out patches for publicly known vulnerabilities, the report said.

It is a good thing Adobe is acting quickly. According to the report, malicious PDF activity continues to run rampant across the internet and now makes up three of the top five browser exploits in the wild.

Cross credits the rise with the increasingly fragmented browser market. By leveraging an Adobe vulnerability, malware authors earn a higher likelihood of infecting users, he said.

"If you have a vulnerability in Acrobat or Flash, everyone's go them [installed]," Cross said. "They run in all those browsers."

The report also highlighted the growing prevalence of JavaScript obfuscation, a slick tactic malcode writers use to push their wares on unsuspecting computer users. The technique works by encoding and hiding exploits from being detected by security products.

"This is standard procedure for launching an attack on the internet today," Cross said. "[Organizations] need to ask whether the security tools they're using in their environment are effective against obfuscated attacks."

The report also called to light the potential risks of virtualization. X-Force researchers found that 35 percent of server virtualization vulnerabilities affect the hypervisor, a thin layer of software that runs in the host machine and serves as the virtualization engine.

Cross said the statistic should force organizations to think twice about sharing virtual workloads, which have different security requirements, on the same physical server.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.