IBM says less software security vulnerabilities found in 2009

IBM's X-Force 2009 Trend and Risk report shows an 11 per cent drop in discovered vulnerabilities compared to 2008, including a decline in the largest categories like SQL Injections and ActiveX.

SQL Injection gained a lot of popularity as "proverbial flavour of the month," and was subsequently exploited to the point that there were few who didn't know what it was, said Nick Bradley, manager with IBM's managed security services intelligence centre. "Now the awareness has saturated the industry. More are actively looking to protect against it," said Bradley.

The 11 per cent decline in vulnerabilities is "really a drop in the bucket" in terms of the overall number of vulnerabilities, noted Bradley. Some contributing factors, he said, could be the retirement of two of the most "prolific discoverers of vulnerabilities", r0t and rgod, and the disappearance of a well-known site for vulnerability publication, milw0rm.

That aside, Bradley acknowledges the increased awareness among software vendors regarding the value of security in the products they build.

The report also found a significant increase in attacks using obfuscation, often launched using automated exploit toolkits, to hide from security software. Since security awareness goes both ways, Bradley said it's natural that malware creators will strive to exploit the very same vulnerabilities that the security industry tries to stop.

"It's like a game of cyber cat and mouse, now that the mouse is aware that the cat is watching, it's going to look for new hiding places and safer modes of travel," said Bradley.

The report also states that new malicious web links increased by 345 per cent compared to 2008, indicating that hackers are getting better at hosting malicious sites. And phishing scams still continue to target the financial industry, with 61 per cent of overall phishing emails.

Brian O'Higgins, a security consultant, finds it quite surprising that there should be a decline in SQL injections, which he calls a "best seller," and in ActiveX vulnerabilities. O'Higgins said the drop is likely attributable to software developers getting better at patching, debugging, and overall building applications.

Moreover, these days, there are more tools to help developers scan for possible vulnerabilities before software gets pushed out, said O'Higgins. "That's a good sign that the industry is improving," he said.

O'Higgins said he does expect an increase in attacks using obfuscation, because malware authors are very aware of how anti-malware software works and design their malicious creations around it. He wasn't surprised by the 345 per cent rise in new malicious web links either. "It's an attack vector of choice, so it works and it's ready and there are all kinds of social engineering (tricks) to get you to click on a link that's malicious," said O'Higgins.