New vulnerabilities decreased in 2009, but the vulnerability disclosures for document readers and editors and multimedia applications rose by 50%, compared to 2008, according to an annual X-Force Trend and Risk Report from IBM.
Overall 6,601 new vulnerabilities were discovered in 2009, an 11% decrease over 2008, indicating declines in the largest categories of vulnerabilities such as SQL Injection, in which criminals inject malicious code into legitimate web sites.
According to the report, attackers were successful at both the hosting of malicious web pages and that web browser-related vulnerabilities with new malicious web links rising by 345% compared to 2008. 49% of all vulnerabilities are related to web applications, with cross-site scripting disclosures surpassing SQL injection to take the top spot. 67% of web application vulnerabilities had no patch available at the end of 2009.
Attacks on the web using obfuscation has increased significantly while phishing rates dipped mid-year but rose dramatically in the last half of 2009. Brazil, USA and Russia were the countries where most malicious attacks originated, supplanting Spain, Italy and South Korea at the top in the 2008 report, IBM said.
By industry, 61% of phishing emails purport to be sent by financial institutions, whereas 20% purport to come from government organisations.
Tom Cross, manager of IBM X-Force Research, said: Despite the ever-changing threat landscape, this report indicates that overall, vendors are doing a better job responding to security vulnerabilities. However, attackers have clearly not been deterred, as the use of malicious exploit code in Web sites is expanding at a dramatic rate.
