Editor’s Note: IBM has revised its X-Force 2010 Mid-Year Trend and Risk Report to correct inaccuracies in the data presented on its list of Best and Worst Patchers. For more information, see Threatpost.com’s continuing coverage.
The number of reported software vulnerabilities spiked in the first half of 2010, dashing hopes that growth in the number of discovered holes had plateaued, according to a new report from IBM’s Internet Security Systems X-Force, with Google joining the ranks of the ten software vendors with the most reported software vulnerabilities.
The report, the IBM X-Force 2010 Mid-Year Trend and Risk Report, compiles data from across IBM’s various security product divisions. The report found that the company’s X-Force security team analyzed and documented 4,396 new software vulnerabilities in the first half of 2010, a 36 percent increase compared with the same period in 2009. The company also found that vendors were having a tougher time patching those holes: the percentage of unpatched holes for eight of the top 10 software vendors increased between the first half of 2009 and the first half of 2010, IBM reported.
In all, just over half, 55%, of all the vulnerabilities that were discovered in the first six months of 2010 have not been patched by vendors – also an increase from last year, when 52% remained unpatched at the time of the IBM report. However, among the 10 vendors with the most reported software holes – a list that represents 20% of all reported holes in the first half –the average percentage of unpatched holes at the end of the first half, 2010, was much lower – just over 12%. The average across the 10 vendors with the most holes in 2009 was 7.8%, according to IBM data.
Adobe, whose products have become popular targets of hackers, did the best job of fixing holes that were reported in its products, with just 3% of reported holes unpatched at the conclusion of the first half this year.
IBM said that holes in Web applications continue to be common. They made up 55 percent of all reported vulnerabilities in the first half of the year. No surprise, then, that Web application giant Google joined the list of the top 10 software vendors with the most reported holes in the first half, displacing HP on that list.
Apple Corp., which just issued a major security patch for its OS X operating system, maintained its poisition as the vendor accounting for most of the vulnerability disclosures. Four percent of all disclosures in the first half were for Apple products, compared with 3.4% for #2 vendor Microsoft reported holes in 2010, with 3.4%.
However, the Redmond, Washington software giant fared less well in fixing the holes reported: fully 23% of those holes discovered in Microsoft products in the first half remained unpatched at the end of the second quarter, including 11% of vulnerabilities rated “Critical” or “High.” By comparison, Apple had 13% of its holes unpatched at the end of the first half, but none rated “High” or “Critical.”
IBM said it expects attackers to continue to focus on attacks using common platforms like Adobe PDF and targeting holes in Web applications and common Web browsers. Such attacks come with high rewards but relatively few risks of discovery or repercussions. The company also expects continued fluctuation in the numbers of reported vulnerabilities, even as attackers migrate to and embrace emerging technologies like Voice over IP (VoIP) and client virtualization in their attacks. A copy of ISS’s First Half report is available here.