According to figures revealed with the publication of the IBM X-Force 2009 Trend and Risk Report, not only do web application vulnerabilities remain the largest category of security disclosure for the last year but, worryingly when you consider that the number of such vulnerabilities found by organisations has not decreased or become less of a threat, some 67 percent of them had no patch available by the end of 2009.
With 49 percent of all vulnerabilities being related to web applications in some regard, with cross-site scripting disclosures surpassing SQL injection to take the top spot, this is worrying news indeed.
Not that there was much happy reading to be had in the report generally anyway. It can be summed up as 'attackers increasingly targeted people using the Internet for monetary gain or data theft; new malicious web links have skyrocketed globally; phishing activity also on the up; and vulnerability disclosures for document readers and editors (in particular PDF documents) have soared'.
Specifically, the report found that:
Vulnerability disclosures for document readers and editors and multimedia applications are climbing dramatically. 2009 saw more than 50 percent more vulnerability disclosures for these categories versus 2008.
New malicious Web links have skyrocketed globally. The number has increased by 345 percent compared to 2008. This trend is further proof that attackers are successful at both the hosting of malicious Web pages and that Web browser-related vulnerabilities and exploitation are likely netting a serious return.
Attacks on the Web using obfuscation increased significantly. Often launched using automated exploit toolkits, many attacks use obfuscation - an attempt to hide these exploits in documents and Web pages - to avoid detection by security software. IBM Managed Security Services detected three to four times the number of obfuscated attacks in 2009 versus 2008.
Phishing rates dipped mid-year but rose dramatically in the last half of 2009. Brazil, USA and Russia were the countries where most malicious attacks originated, supplanting Spain, Italy and South Korea at the top in the 2008 report.
Phishing still takes advantage of the financial industry to target consumers. While some phishing scams target logins and passwords, others attempt to entice victims into entering detailed personal information by posing as government institutions. By industry, 61 percent of phishing emails purport to be sent by financial institutions, whereas 20 percent purport to come from government organizations.
About the only good news was that 6,601 new vulnerabilities were discovered in 2009, an 11 percent decrease over 2008. There was a decline in the largest categories of vulnerabilities such as SQL Injection, in which criminals inject malicious code into legitimate Web sites, and ActiveX, an Internet Explorer plug-in to help with tasks.
This may indicate some of the more easily discovered vulnerabilities in these classes have been eliminated and security is improving.
"Despite the ever-changing threat landscape, this report indicates that overall, vendors are doing a better job responding to security vulnerabilities" said Tom Cross, manager of IBM X-Force Research. "However, attackers have clearly not been deterred, as the use of malicious exploit code in Web sites is expanding at a dramatic rate".