IBM Security Report Names Apple, Microsoft as Most Vulnerable Vendors

UPDATE:IBM's X-Force threat report for the first half of 2010 lists Apple, Microsoft and Adobe Systems as the makers of products with the most vulnerabilities.

A report from IBM's X-Force released Aug. 25 says the number of disclosed vulnerabilities during the first half of 2010 shot up 36 percent from the same period the previous year.

All told, IBM X-Force analyzed and document 4,396 new vulnerabilities in the first half of the year. Leading the way in terms of having the most vulnerabilities is Apple, which accounted for 4 percent of all disclosures. Microsoft is No. 2 on the list, while No. 3 is Adobe Systems, thanks to a surge in issues involving Adobe Reader and Flash Player. In 2009, Adobe was ranked No. 9.

"The continued prevalence of the Gumblar-the exploit tool kit/group-is still helping to secure top positions for Adobe products, but PDF and Flash exploits are extremely popular in many other exploit tool kits as well," an IBM spokesperson said. "An interesting change from the second half of 2009 is that ActiveX has dropped off the top-five list, at least for now ... Judging by what we have observed thus far in 2010, it is safe to assume that 2010 will be dominated by PDF exploitation."

Microsoft far outpaced other operating system vendors in terms of vulnerabilities with critical and high CVSS (Common Vulnerability Scoring System) ratings, accounting for 73 percent of those. In sheer numbers, however, Linux took the No. 1 spot, with Apple coming in at No. 2, according to the report.

About 55 percent of the vulnerabilities had no vendor-supplied patch at the end of the period, IBM said. Among the top 10 vendors with the most vulnerabilities, Microsoft had the highest percentage of unpatched bugs at 23 percent.

"The leap in vulnerability disclosures relates to organizations taking a greater interest in exploitable software bugs as well as attackers continuing to develop their own infrastructure," said Tom Cross, manager of IBM's X-Force Advanced Research Team. "An area that both whitehat and blackhat security researchers are focusing on is automated vulnerability discovery through approaches such as fuzzing. Predicting disclosure increases into the future is going to be tricky for this reason and we may see the occasional plateau or decrease."

The report also noted that attackers are continuing to make use of JavaScript obfuscation to hide malware. IBM detected a 52 percent increase in obfuscated attacks since 2009.

"Attackers have been using JavaScript to obfuscate Web browser attacks for a few years, but X-Force believes that the topic comes up infrequently, yet it continues to be a problem," Cross said. "With attackers continuing to innovate with JavaScript obfuscation, it is forcing security vendors to innovate [in the areas of] intelligent components and solutions too."

*This story was updated to reflect corrected data from IBM on the number of unpatched vulnerabilities.