The new IBM X-Force 2010 Mid-Year Trend and Risk Report also found that the total number of new vulnerabilities disclosed had increased 36 percent over the same period last year, to 4,396 for the first half of '10. And 55 percent of these bugs had not been fixed by the end of the first half.
"We knew this was coming for a few months before we put the data together, but it was still a surprise to us in some respects. Last year, we saw an 11 percent decrease in vulnerability disclosure," says Tom Cross, manager of XForce Research. "If you had asked me a year ago, I would not have expected this volume of disclosure."
The leap in the number of exposed flaws is both good news and bad news. "It means we're doing a lot more work to catalog them ... in some respects, applications are more secure because we are getting these vulns out in the open and getting patches out there. It's a process," Cross says.
"We're seeing people struggling with the constantly increasing sophistication of attacks," IBM's Cross says. "A lot of these attacks are obfuscated."
PDFs can also be obfuscated as well, he says. And there was a 37 percent increase in PDF-borne exploits in April of this year than the average for the first half of 2010, according to the report, mostly due to a major spam run that used PDFs to push Zeus and Pushdo bots.
The report also confirmed worries about mixing apps and operations within a virtualized server that require different levels of security: 35 percent of the vulnerabilities that affect virtualization servers also affect the hypervisor. So if an attacker wrests control of one virtual machine on a server, he or she may be able to hack into other more secure virtual systems on the same server, according to the report.
"You shouldn't be tying in different domains with different security requirements on the same physical hardware," Cross says. "A hypervisor is a piece of software, and it can have vulnerabilities like other pieces of software."
Not surprisingly, Web application vulnerabilities led the vulnerability disclosure list, making up 55 percent of all disclosures, with the number at anywhere from 3,000 to 4,000 finds per year. That number doesn't include custom Web apps, according to the report, so it's likely an even larger number. Cross-site scripting (XSS) and SQL injection were at the top of the list.
A copy of the full report from IBM X-Force is available for download here.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.