IBM Researchers Predict More Vulnerabilities in 07

Experts in IBM's ISS group contend that software vulnerabilities that allow hackers to exploit popular programs will continue to rise during 2007.

New research indicates that enterprises will continue to grapple with long lists of dangerous software vulnerabilities during 2007, with experts at IBM predicting continued growth in the number of flaws found in popular products over the next twelve months.

According to a report published by IBMs ISS (Internet Security Systems) X-Force research team on Jan. 30, the group observed just under 7,250 vulnerabilities during calendar 2006, which breaks down to an average of 20 new software flaws being isolated every day, and represents a 40 percent increase over the number of vulnerabilities discovered during 2005.

Perhaps even more imposing is the researchers contention that more than 88 percent of the newly-found vulnerabilities in 06 could be exploited remotely, an all-time high, with over 50 percent allowing hackers to gain access to devices after the flaws have been flaunted.

With the launch of high-profile new software systems such as Microsofts Windows Vista operating system in 2007, the researchers with IBM, based in Armonk, N.Y., are predicting that the next twelve months could be even more threatening from a security standpoint.

While developers of Vista and other products are putting more effort into securing their code and eliminating security loopholes, the experts said that the sheer complexity of such programs will create even more vulnerabilities.

Another mitigating factor will be the arrival of many new third-party products meant to run on Vista, the Atlanta-based ISS team said, as well as the growing use among malware code writers of so-called fuzzing tools, which automate the process of ferreting out software loopholes.

As desktop security tools have stemmed the flow of malware programs arriving in e-mail in-boxes, the use of fuzzing tools has helped hackers isolate weaknesses in Web browsing software, making the Internet the top source of malware, said Gunter Ollmann, director of security strategy for IBM ISS.

/zimages/3/28571.gifSpammers fake newsletters slip by e-mail filters. Click here to read more.

"The script kiddies of old went off to university and learned how to build and use fuzzing programs, and theyre taking that experience and applying it to uncover vulnerabilities in content-level applications," said Ollmann.

"While the amount of [malware] content making it through from e-mail has gone down, and the volume of payloads making it to the desktop without being filtered has dropped, attackers have honed into Web browser vulnerabilities and theres less protection out there for this sort of threat, even within enterprises."

Ollmann said that IBMs researchers believe that the use of fuzzers has led to the rise in malware programs that attack application vulnerabilities, and that the technique will continue to take root among hackers.

Underground malware communities are taking full advantage of the newly-discovered flaws, and are using them to gain entry to devices and install other malware, he said.

Next Page: Picking on weak browsers.