Software Security Vulnerabilities Will Continue to Rise in 2007

Software Security Vulnerabilities Will Continue to Rise in 2007

IBM (NYSE:IBM) today announced the highlights of its 2006 security statistics report, which describes key security findings for 2006 and predicts the nature of Internet threats expected to emerge in 2007. Based on early indicators, IBM anticipates a continued rise in the sophistication of profit-motivated cyber attacks, including an increased focus on the Web browser and advances in image-based spam.

According to the report, which was developed by the IBM Internet Security Systems (ISS) X-Force® research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation.

“While these numbers seem grim upon initial review, the good news is our research indicates a drop in the percentage of high-impact vulnerabilities since last year,” said Gunter Ollmann, director of security strategy for IBM Internet Security Systems. “In 2005, high-impact vulnerabilities accounted for about 28 percent of total vulnerabilities, while they only accounted for 18 percent in 2006. The security industry has made great progress over the last year, but despite promising statistics such as this one, we predict that 2007 will require even higher levels of vigilance and innovation to deal with emerging threats and new vectors of attack.”

Attacks on Web browsers are expected to continue rising in 2007, partially as a result of the newly-created “exploits as a service” industry. The sale of exploit material is becoming even more organized and is increasingly taking the shape of the channel sales model used by legitimate corporate entities. Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for top dollar to spam distributors. The organized development and sale of encrypted exploit code will make signature-based protection even less effective in 2007.

Read the complete Press Release