If you weren’t already convinced that your Website is at risk, consider this: Nearly 100 percent of Web attacks last year used some form of obfuscation to avoid detection by security tools, according to IBM's just-released 2007 X-Force Security report.

And in another sign that the bad guys are getting more efficient and cagey, IBM’s X-Force researchers also report that, for the first time in 10 years, the number of publicly disclosed vulnerabilities decreased, by 5.4 percent in 2007 over 2006. But the number of high-severity bugs jumped by 28 percent.

“That tells me that, while maybe hobbyists and mid- to lower-tier vulnerability discoveries are waning, the opposite is true for highly leverageable and high-criticality vulnerabilities that matter to users,” says Kris Lamb, operations manager of X-Force Research and Development for IBM Internet Security Systems . “This was one of the most significant trends” in the report, he says.

Lamb says 90 percent of the disclosed vulnerabilities last year are remotely exploitable, and only half of the overall vulnerabilities were patched.

“Regardless of the number of vulnerabilities disclosed, the vulnerabilities that get exploited are the ones that are the most dangerous,” Lamb says. “The bad guys are focusing on exploit-forming versus bug-hunting.”

And with Web browser exploits, most were encrypted, using the increasingly available Web exploit toolkits. “These tools have encryption and obfuscation built in, so the bad guys have upped the ante on what it takes to succeed in compromising computers,” he says. “Although spam and email are the most classic [venues for attack], the most impactful is the Web browser and infrastructure in delivery.”

Among the other findings in the report: Storm’s malware represented about 13 percent of the overall malware the X-Force collected last year, and the overall number of malware samples increased by 30 percent. A bit of good news: The size of spam emails dropped dramatically, mainly due to a decrease in image-based spam, according to the report.

— Kelly Jackson Higgins, Senior Editor, Dark Reading