New research indicates that enterprises will continue to grapple with long lists of dangerous software vulnerabilities during 2007, with experts at IBM predicting continued growth in the number of flaws found in popular products over the next twelve months.
According to a report published by IBMs ISS (Internet Security Systems) X-Force research team on Jan. 30, the group observed just under 7,250 vulnerabilities during calendar 2006, which breaks down to an average of 20 new software flaws being isolated every day, and represents a 40 percent increase over the number of vulnerabilities discovered during 2005.
Perhaps even more imposing is the researchers contention that more than 88 percent of the newly-found vulnerabilities in 06 could be exploited remotely, an all-time high, with over 50 percent allowing hackers to gain access to devices after the flaws have been flaunted.
With the launch of high-profile new software systems such as Microsofts Windows Vista operating system in 2007, the researchers with IBM, based in Armonk, N.Y., are predicting that the next twelve months could be even more threatening from a security standpoint.
While developers of Vista and other products are putting more effort into securing their code and eliminating security loopholes, the experts said that the sheer complexity of such programs will create even more vulnerabilities.
Another mitigating factor will be the arrival of many new third-party products meant to run on Vista, the Atlanta-based ISS team said, as well as the growing use among malware code writers of so-called fuzzing tools, which automate the process of ferreting out software loopholes.
As desktop security tools have stemmed the flow of malware programs arriving in e-mail in-boxes, the use of fuzzing tools has helped hackers isolate weaknesses in Web browsing software, making the Internet the top source of malware, said Gunter Ollmann, director of security strategy for IBM ISS.
“The script kiddies of old went off to university and learned how to build and use fuzzing programs, and theyre taking that experience and applying it to uncover vulnerabilities in content-level applications,” said Ollmann.
“While the amount of [malware] content making it through from e-mail has gone down, and the volume of payloads making it to the desktop without being filtered has dropped, attackers have honed into Web browser vulnerabilities and theres less protection out there for this sort of threat, even within enterprises.”
Ollmann said that IBMs researchers believe that the use of fuzzers has led to the rise in malware programs that attack application vulnerabilities, and that the technique will continue to take root among hackers.
Underground malware communities are taking full advantage of the newly-discovered flaws, and are using them to gain entry to devices and install other malware, he said.
Picking on Weak Browsers
It has also become easier for attackers to use the vulnerabilities in browser programs to build engines on Web servers that detect what type of software an individual is using and then launch malware programs that can take advantage of applications with holes that they have discovered. The malware writers are also using peoples IP address information to tailor the content they attempt to deliver to a certain target.
“If a malware site such as this sees Internet Explorer 6, they send something different than if they see IE 7; theres a lot of logic in these engines,” Ollmann said. “The site will look at the first request the browser makes and then find the right payload to deliver when the browser makes a second request. It happens that fast.”
The researcher said that malware communities are also sharing lists of IP addresses to find specific sets of targets to assail with their programs, and to help identify accounts used by security software makers to help detect new attacks and code variations.
Traditional signature-based anti-virus products, versus behavior-oriented tools, are still failing to stop even those threats aimed at well-known vulnerabilities, according to Ollman, who noted that the most popular exploit used to infect Web browsers with malware in 2006 was the Microsoft MS-ITS vulnerability, first disclosed in 2004.
Over the course of 2006, June was the month that saw the highest volume of new software vulnerabilities, while the week before the Thanksgiving holiday was the busiest week of the year.
IBM reported that so-called downloaders, also known as Trojan Viruses, which install themselves and attempt to retrieve other malware programs, represented the most popular form of threat seen in 06, accounting for 22 percent of all attacks.
Among the other findings highlighted in the report was news that the volume of spam increased by 100 percent during the last year, and that the United States, Spain and France were the three top sources of spam worldwide.
In a reflection of the number of experienced users and businesses run in Germany, German was the second most popular language for spam e-mails, Ollmann said, but the volume of spam written in English still represents approximately 92 percent of the messages.
In a nod to the art of simplicity, the most popular subject line for spam in 2006 was “Re: hi,” according to the report. South Korea accounts for the highest source of phishing e-mails, according to the report, and Web sites that host pornographic or sex-related content represented 12 percent of the Internet last year.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.