IBM Report Labels Apple, Microsoft As Most Vulnerable

IBM has released its X-Force security report which has discovered that the number of disclosed vulnerabilities during the first half of 2010 shot up 36 percent from a year previously.

All told, IBM X-Force analysed and document 4,396 new vulnerabilities in the first half of the year. Leading the way in terms of having the most vulnerabilities is Apple, which accounted for 4 percent of all disclosures. Microsoft is No. 2 on the list, while No. 3 is Adobe Systems, thanks to a surge in issues involving Adobe Reader and Flash Player. In 2009, Adobe was ranked No. 9.

PDF Attacks

“The continued prevalence of the Gumblar – the exploit tool kit/group – is still helping to secure top positions for Adobe products, but PDF and Flash exploits are extremely popular in many other exploit tool kits as well,” an IBM spokesperson said. “An interesting change from the second half of 2009 is that ActiveX has dropped off the top-five list, at least for now … Judging by what we have observed thus far in 2010, it is safe to assume that 2010 will be dominated by PDF exploitation.”

Microsoft far outpaced other operating system vendors in terms of vulnerabilities with critical and high CVSS (Common Vulnerability Scoring System) ratings, accounting for 73 percent of those. In sheer numbers, however, Linux took the No. 1 spot, with Apple coming in at No. 2, according to the report.

Unpatched Bugs

About 55 percent of the vulnerabilities had no vendor-supplied patch at the end of the period, IBM said. Among the top 10 vendors with the most vulnerabilities, Sun Microsystems (Oracle) had the highest percentage of unpatched bugs at 24 percent. Microsoft was second highest with 23.2 percent.

“The leap in vulnerability disclosures relates to organisations taking a greater interest in exploitable software bugs as well as attackers continuing to develop their own infrastructure,” said Tom Cross, manager of IBM’s X-Force Advanced Research Team. “An area that both whitehat and blackhat security researchers are focusing on is automated vulnerability discovery through approaches such as fuzzing. Predicting disclosure increases into the future is going to be tricky for this reason and we may see the occasional plateau or decrease.”

The report also noted that attackers are continuing to make use of JavaScript obfuscation to hide malware. IBM detected a 52 percent increase in obfuscated attacks since 2009.

“Attackers have been using JavaScript to obfuscate web browser attacks for a few years, but X-Force believes that the topic comes up infrequently, yet it continues to be a problem,” Cross said. “With attackers continuing to innovate with JavaScript obfuscation, it is forcing security vendors to innovate [in the areas of] intelligent components and solutions too.”