Disclosed vulnerabilities surged in the first half of the year and more than 55 percent of them remained unpatched, according to a report from IBM.
Big Blue's X-Force report found the following:
- 4,396 new vulnerabilities were documented in the first half, up 36 percent from a year ago.
- 55 percent of those vulnerabilities had no vendor-supplied patch.
- Web application vulnerabilities were the biggest threat and accounted for 55 percent of all disclosures.
Among the key slides from the 112-page report:
Phishing targets by industry...
IBM had an interesting note about virtualization vulnerabilities. According to the report:
The number of exploits known against a class of vulnerabilities provides one measure of how likely those vulnerabilities are to be exploited. Of the 373 virtualization vulnerabilities reported since 1999, 51 (14 percent) have known exploits. This compares to 25 percent of vulnerabilities in the entire X-Force database for which exploits are known. Therefore the incidence of exploit availability for virtualization vulnerabilities is about half that of vulnerabilities at large. This reflects an inherently greater difficulty in exploiting virtualization vulnerabilities and/or a lesser focus on virtualization products by exploit developers.
One class of vulnerabilities of particular interest is escape-to-hypervisor vulnerabilities in server products, since these have extremely high risk. Of the 28 vulnerabilities of this type, only 2 have known exploits. While this represents a very small fraction, the fact that exploits exist for this class of vulnerabilities is cause for concern.
And Website categories with at least one malicious link...