There were 6,601 new vulnerabilities discovered last year, an 11 percent decrease compared to 2008, according to the annual "X-Force Trend and Risk Report." In addition, the number of vulnerabilities in web browsers and document readers with no patch also decreased last year compared to 2008. And, the number of unpatched “critical” vulnerabilities is significantly lower than years past, indicating that software vendors have become more responsive when dealing with security issues, the report stated.
“The computer industry is getting better at building secure software and being responsive to vulnerabilities,” Tom Cross, manager of IBM X-Force Research, told SCMagazineUS.com on Thursday. “But the volume of attack activity is expanding at a very rapid pace.”
For example, the number of new malicious websites increased by 345 percent in 2009 compared to 2008, according to the report. Spam and phishing volumes also rose dramatically during the second half of the year.
The highly publicized takedown of web-hosting company McColo caused worldwide spam levels to drop by around 70 percent at the end of 2008. By May of 2009, spam levels were back up to pre-McColo levels and, in November, spammers sent out twice as much spam as they did before the takedown.
Phishing attacks decreased dramatically in the beginning of 2009, but phishers came back with a vengeance in the third quarter of the year, the report stated. In September, the amount of phishing attacks surpassed the volume seen during any month of 2008.
Web application vulnerabilities made up 49 percent, or the largest category, of security disclosures in 2009, the report stated. Web application vendors have done well in patching vulnerabilities in their base platforms, but the majority of flaws affecting these platforms are present in plug-ins that are produced to add functionality to the application. Often, vulnerabilities in web application plug-ins are not patched, the report stated.
Open-source content management platforms used for building websites often have plug-ins available, for example, Cross said.
“Some plug-ins are great, others are not,” he said. “If you are using one of those platforms you need to be careful of the plug-ins you are using.”
The main types of vulnerabilities affecting web applications during 2009 were cross-site scripting (XSS) and SQL injection, the report stated. There was a “significant increase” in the number of SQL injection attacks last year, as attackers used automated tools to find susceptible websites, Cross said.
“Businesses need to look at their infrastructure and see what web applications they are using and the processes they have for ensuring they are secure,” he said.
Enterprises must assess their network to determine whether there are any vulnerabilities in off-the-shelf or custom-built web applications, Cross said. Also, enterprises can protect their networks against SQL injection attacks with intrusion prevention systems and should seek to eliminate these bugs in the company's software development lifecycle.
“If they haven't eliminated SQL injection vulnerabilities on their network, they are certainly being subject to attack today,” Cross said. “There is no doubt about that.”