Internet Security Systems - AlertCon(TM)

Key Findings in the 2009 X-Force Trend and Risk Report

Posted by Leslie Horacek and Michelle Alvarez on February 25, 2010 at 4:46 PM EST.

As we wrap up another X-Force Trend and Risk Report, we once again find ourselves looking at the latest security threats that defined 2009.  Let’s take a look at some of those highlights.

Vulnerabilities and Exploitation
The good news -- IBM X-Force analyzed and documented 6,601 new vulnerabilities, which represent 19 percent of all vulnerabilities chronicled since the inception of the X-Force Database more than ten years ago. That number is actually less than what we've seen in the past. 

More good news -- Critical and high vulnerabilities with no patch have decreased significantly year-over-year in several key product categories including operating systems and document readers and editors. Although vendors of browsers, browser plug-ins and multimedia applications have some room for improvement in this area.

This slowing disclosure rate in 2009 was primarily driven by declines in some of the largest categories of vulnerabilities.  Although vulnerabilities affecting Web applications continue to be the largest category of disclosure, major subcategories (SQL Injection and File Include) have declined, and one of the largest subcategories affecting client applications, ActiveX controls, has also declined.

One interesting story to note surrounding the decline of reported vulnerabilities was the announcement from the owner of Milw0rm in July of 2009, who stated he no longer had enough time to publish new vulnerability discoveries with the kind of timeliness he felt they deserved. As a result, he essentially stopped accepting vulnerability submissions through the fall. Another group, Offensive Security (whose main initiative is to provide training to security professionals), stepped in to provide a new venue for submitting and archiving exploits. This operation appeared to be working in full force (and potentially with a backlog of submissions) in December of 2009, and was the main driver behind an end of year revival of vulnerability disclosure activity.

Figure 3: Disclosures by Month, 2008-2009


Although we have seen declines in some areas of reporting, vulnerability disclosures for document readers, editors and multimedia applications are climbing dramatically. 2009 saw more than 50 percent more vulnerability disclosures for these categories versus 2008.

Of the two predominant types of document vulnerabilities - office documents including spreadsheets and presentations and Portable Document Format (PDF) documents - the latter has continued to dominate the charts.

With the slowing rate of vulnerability disclosures being reported in the year, does this mean it’s safer out there?  Not really….  We should mention that vulnerabilities are at record levels over the last 4 years and we witnessed  a decrease in 2007 as well so this isn't the first time.

IBM X-Force only published 11 alerts and advisories during the first half of 2009. During the second half we published 29—a clear indication of a more heightened and complicated threat environment during the later part of the year. Twenty two of those 29 vulnerabilities fit into the first quadrant of our exploitation matrix, which means that they are relatively easy to exploit and monetize, and they represent a large value to attackers. Many of these vulnerabilities can be leveraged with publicly-distributed exploit code. These attacks target popular products such as Adobe Acrobat, Adobe Flash, Microsoft Internet Explorer, and Mozilla Firefox, as well as a potentially "wormable” vulnerability affecting SMBv2.

Malicious Links
New malicious Web links have skyrocketed globally. The number has increased by 345 percent compared to 2008.  This trend is further proof that attackers are successful at both the hosting of malicious Web pages and that Web browser-related vulnerabilities and exploitation are netting a serious return.

The most prevalent type of vulnerability affecting servers today is unquestionably vulnerabilities related to Web applications.  Although the number of vulnerabilities affecting Web applications has grown at a staggering rate, the growth demonstrated in the first half of 2009 and continuing through the second half may indicate the start of a plateau, at least in standard (off-the-shelf) software applications for the Web.

 


Figure 14: Percentage of Vulnerability Disclosures that Affect Web
Applications, 2009

Web App vulnerabilities continue to be the largest category of security disclosures.
The predominate types of vulnerabilities affecting Web applications are Cross-Site Scripting (XSS), SQL Injection, and File Include vulnerabilities. By the end of 2009 Cross-Site Scripting vulnerability disclosures had once again surpassed the number of SQL Injection disclosures, putting XSS back in the number one spot. Sixty-seven percent of web application vulnerabilities had no patch available at the end of 2009.

Figure 15: Web Application Vulnerabilities by Attack Technique, 2004-2009


Web application platforms represent a special case when it comes to counting vulnerabilities. The utility of these platforms is extended by plug-ins to the base application. These plug-ins may or may not be produced by the Web application vendor themselves, which makes counting vulnerabilities affecting these platforms a bit tricky. In the past few years, several of these platforms have shown up in our top 10 vendor list because we were reporting platform and plug-in vulnerabilities. This year, they were reported separately and what a story it told.

Web applications and Web development language platforms that had 20 or more vulnerabilities reported in 2009 are included in this analysis. The vulnerabilities reported for these platforms make up 8.3 percent of all the disclosures in 2009.  Below, 81 percent of these disclosures affect plug-ins and not the base platform.

Figure 16: Web Application Platform Vulnerabilities, Plug-ins versus platform Vulnerabilities, 2009

At a minimum, organizations should be mindful of not just the Web applications that are being deployed, but also take a hard look into the plug-ins that might be used within those applications.

PDF Attacks
The IBM Managed Security Services (MSS) provides a view into the most frequently seen types of attacks that leverage client vulnerabilities. One of the trends they observed in 2009 was an increase in obfuscation complexity for Adobe PDF files. Today, it is becoming quite popular to hide encoded script in some element of the PDF which can be referenced in ActionScript, decoded and executed. New additions to the PDF format include the ability to embed entire PDF documents and multimedia such as Flash movies. So now a malicious PDF might actually be a malicious Flash movie.


Figure 33: PDF Attacks, 2008-2009


It is quite critical that organizations and individuals update their Adobe products whenever a newer version is offered and if possible use the auto-update facility. In addition, unless you want or need the ability to run script or watch movies inside a PDF document, you should disable these features in the program options.

Phishing Finding a New Home

In the area of Web content trends we saw that the phishing rates dipped mid-year but rose dramatically in the last half of 2009.  We also observed the geographical base for Phishing attacks has shifted. Spain and Italy took slots one and two in 2008, but both have completely dropped from the top 10 for 2009. The top country of origin is now Brazil, with the USA in second, and Russia, who was not even in the top 10 last year, pulling into third. Other changes include the addition of Turkey, India, Colombia, and Chile, while Israel, France, and Germany, who were smaller players in 2008, have slipped off the radar.


Figure 72: Geographical Distribution of Phishing Senders, 2009


Despite the change in location, phishing is still primarily focused on the financial industry. While some phishing scams target logins and passwords, others attempt to entice victims into entering detailed personal information by posing as government institutions. By industry, 61 percent of phishing emails purport to be sent by financial institutions, whereas 20 percent purport to come from government organizations.

To view the full report, download here.

As always, we welcome your comments and suggestions about the report.  Please email them to xforce@iss.net.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.