Sanboxes a Bright Spot As Flaws Trend Higher
While major software makers have tamed the vulnerabilities in their software, more software flaws will be disclosed in 2012, IBM finds in its latest report. Technologies for making exploitation harder, such as sandboxing, are paying off.Vulnerability disclosures are on a trajectory to hit an all-time high this year, driven by a resurgence of cross-site scripting issues, making technologies that hinder exploitation increasingly important, IBM stated in a report released on Sept. 20. While the number of vulnerabilities found in major products has declined, thanks to the adoption of secure development methods, the total number of flaws likely to be reported in 2012 will near 9,000, exceeding the previous record in 2010, according to IBM's X-Force 2012 Mid-year Trend and Risk Report. Web vulnerabilities account for 47 percent of the 4,400 flaws found in the first half of 2012, more than half of which are cross-site scripting vulnerabilities. While cross-site scripting has taken off, attempts to access backend databases by exploiting a Web application -- known as SQL injection -- continues to grow as well. "SQL injection is still the money maker for the bad guys," said Clinton McFadden, senior operations manager for IBM X-Force Research and Development. "It has been the Wild West for people doing SQL injection for many years. Yet, now we are seeing a strong group of tools or web scanners or education leveling off the worst epidemic in Web application security."
While vulnerabilities are on the rise, there are a number of bright spots, the 105-page report found. Security issues in popular formats, such as Microsoft Office and the Portable Document Format (PDF), have declined sharply, while serious vulnerabilities in the major browsers have eased as well.