IBM, which published its most recent X-Force trend and risk assessment report on August 25, 2010, revealed that there was a rise in the total number of loopholes found inside computer applications, which hackers were capable of exploiting, during H1-2010.

The report noted that the major security risk was still from software vulnerabilities, at 55% of the total number of public disclosures. State the researchers that the large number of security flaws indicates that cyber-criminals have a golden opportunity for attacking Web-surfers via malware, phishing and other harmful materials.

Referring to other data from the study, it’s evident that new vulnerabilities grew to 4,396 in number i.e. at 36% during H1-2010 over H1-2009, while over 50% of them were devoid of security patches.

Moreover, stealthy attacks became more complex using obfuscated JavaScript along with PDFs (Portable Document Formats). Additionally, it was noted that virtualization and cloud computing would be the chief security issues for corporations henceforth.

Meanwhile, during April 2010, PDF attacks grew to the maximum for the year. IBM’s Managed Security Services spotted nearly a 37% rise in such assaults against the H1-2010 average. The attacks made up to 3 positions among the top 5 associated with browser exploits being abused.

Moreover, computer criminals have been popularly using JavaScript obfuscation for concealing their attack codes inside websites and document files. IBM spotted 52% more obfuscated attacks in H1-2010 vis-à-vis H1-2009.

Additionally, X-Force’s data further indicates that 35% of all security flaws affecting virtualization systems of server class impact the hypervisor. Thus, when an attacker commands over a single virtual system he is likely to compromise and command other systems too that run on that same computer.

In the meantime, there’s been an 82% plunge in the total number of e-mail scams wherein cyber-criminals send spoofed messages to Internet-users and attempt at tricking them into viewing corrupt files or accessing phishing websites.

However, even with this dramatic fall, institutions for finance continue to be the maximum targets for phishers at 49%. Other targets that are overwhelmingly being attacked in phishing scams are online payment agencies, government organizations, auction companies and credit cards.

Source:http://www.spamfighter.com/News-15052-Software-vulnerabilities-other-e-threats-spike-reports-IBM.htm

IBM has overhauled its list of worst security patchers among software vendors, putting Microsoft at the top of its list and shifting Sun from No. 1 to No. 5.

DARPA takes aim at insider threats

Google, one of the companies that protested the methods used by IBM’s X-Force team to create the “Mid-Year Trend and Risk Report 2010,” dropped from No. 6 to No. 12.

In explaining the changes, an IBM blogger says it’s difficult to track all the vulnerability disclosures and patches because the data has to be gathered by hand. “As you might imagine, this is a complicated task, as every software vendor handles security vulnerabilities differently and few standards exist today for sharing this information,” Tom Cross says in his blog.

But in one of its blogs, Google says more effort should be made to verify the data used in the reports. “As a first step, database compilers should reach out to vendors they plan to cover in order to devise a sustainable solution for both parties that will allow for a more consistent flow of information,” Adam Mein, a member of Google’s security team, says in his blog.

“Another big improvement would be increased transparency on the part of the compilers — for example, the inclusion of more hard data, the methodology behind the data gathering, and caveat language acknowledging the limitations of the presented data.”

Google complained to IBM because the report said Google had a 33% rate of leaving critical disclosed vulnerabilities unpatched. It turns out that the 33% referred to one patch out of three vulnerabilities, and that one was not security vulnerability after all.

IBM published two lists, one of companies with unpatched disclosed vulnerabilities and another of companies with unpatched critical vulnerabilities. Google dropped from No. 6 to No. 12 on the first and from No. 1 to No. 12 on the second.

Other software vendors whose ranking shifted markedly were Sun (from No. 1 to No. 5 and from No. 7 to a tie for No. 12) and Linux (from number seven to number 10 and from number four to a tie for No. 12).

The corrected ranking for the companies with the most unpatched disclosed vulnerabilities by company name and percent unpatched is: Microsoft, 23%; Mozilla, 17%; Apple, 12%; IBM, 9%; Sun, 8%; Oracle, 6%; Cisco, 6%; Novell, 5%; HP, 4%; Linux, 3%; Adobe, 3%; Google, 0%.

The corrected ranking for the companies with the most unpatched critical disclosed vulnerabilities by company name and percent unpatched is: IBM, 29%; Oracle 22%; Novell, 10%; Microsoft, 7%; HP, 5%; Mozilla, 4%; Adobe and Cisco each with 2%; and Apple, Google, Linux and Sun, each with 0%.

Source:http://www.networkworld.com/news/2010/090110-ibm-xforce-google.html?hpg1=bn