IBM: Vulnerabilities surge in first half, but majority remained unpatched

Summary:Disclosed vulnerabilities surged in the first half of the year and more than 55 percent of them remained unpatched, according to a report from IBM.

Disclosed vulnerabilities surged in the first half of the year and more than 55 percent of them remained unpatched, according to a report from IBM.

Big Blue's X-Force report found the following:

  • 4,396 new vulnerabilities were documented in the first half, up 36 percent from a year ago.
  • 55 percent of those vulnerabilities had no vendor-supplied patch.
  • Web application vulnerabilities were the biggest threat and accounted for 55 percent of all disclosures.
  • Hidden attacks via JavaScript are surging and PDF exploits surge.

Among the key slides from the 112-page report:

Patch rates by vendor...

Spammers move to Russia...

Phishing targets by industry...

IBM had an interesting note about virtualization vulnerabilities. According to the report:

The number of exploits known against a class of vulnerabilities provides one measure of how likely those vulnerabilities are to be exploited. Of the 373 virtualization vulnerabilities reported since 1999, 51 (14 percent) have known exploits. This compares to 25 percent of vulnerabilities in the entire X-Force database for which exploits are known. Therefore the incidence of exploit availability for virtualization vulnerabilities is about half that of vulnerabilities at large. This reflects an inherently greater difficulty in exploiting virtualization vulnerabilities and/or a lesser focus on virtualization products by exploit developers.

One class of vulnerabilities of particular interest is escape-to-hypervisor vulnerabilities in server products, since these have extremely high risk. Of the 28 vulnerabilities of this type, only 2 have known exploits. While this represents a very small fraction, the fact that exploits exist for this class of vulnerabilities is cause for concern.

Not surprisingly, VMware, the virtualization top dog, is the primary target.

And Website categories with at least one malicious link...

Topics: IBM, Security, Virtualization


Larry Dignan is Editor in Chief of ZDNet and SmartPlanet as well as Editorial Director of ZDNet's sister site TechRepublic. He was most recently Executive Editor of News and Blogs at ZDNet. Prior to that he was executive news editor at eWeek and news editor at Baseline. He also served as the East Coast news editor and finance editor at CN... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.