IBM Report: Software Security Vulnerabilities Will Continue to Rise in 2007.

Web Browser The program that serves as your front end to the Web on the Internet. In order to view a site, you type its address (URL) into the browser's Location field; for example, www.computerlanguage.com, and the home page of that site is downloaded to you. Attacks and Image-Based Spam to Become Bigger Problems this Year

ARMONK, N.Y. -- IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) (NYSE NYSE

See: New York Stock Exchange :IBM) today announced the highlights of its 2006 security statistics report, which describes key security findings for 2006 and predicts the nature of Internet threats expected to emerge in 2007. Based on early indicators, IBM anticipates a continued rise in the sophistication so·phis·ti·cate
v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates

v.tr.
1. To cause to become less natural, especially to make less naive and more worldly.

2. of profit-motivated cyber attacks, including an increased focus on the Web browser and advances in image-based spam.

According to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3. the report, which was developed by the IBM Internet Security Systems IBM Internet Security Systems is a security software provider which was founded in 1994 as Internet Security Systems, and is often known simply as ISS or ISSX (after its former NASDAQ ticker symbol). The company was acquired by IBM in 2006. (ISS ISS

See Institutional Shareholder Services (ISS). ) X-Force[R] research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation.

"While these numbers seem grim upon initial review, the good news is our research indicates a drop in the percentage of high-impact vulnerabilities since last year," said Gunter Ollmann, director of security strategy for IBM Internet Security Systems. "In 2005, high-impact vulnerabilities accounted for about 28 percent of total vulnerabilities, while they only accounted for 18 percent in 2006. The security industry has made great progress over the last year, but despite promising statistics such as this one, we predict that 2007 will require even higher levels of vigilance and innovation to deal with emerging threats and new vectors of attack."

Attacks on Web browsers The following is a list of web browsers. Historical
Historically important browsers
In order of release:

WorldWideWeb, February 26, 1991
Erwise, April 1992
ViolaWWW, May 1992, see Erwise

are expected to continue rising in 2007, partially as a result of the newly-created "exploits as a service" industry. The sale of exploit material is becoming even more organized and is increasingly taking the shape of the channel sales model used by legitimate corporate entities. Managed exploit providers are purchasing exploit code from the underground, encrypting it so that it cannot be pirated, and selling it for top dollar to spam distributors. The organized development and sale of encrypted exploit code will make signature-based protection even less effective in 2007.

In terms of spam, X-Force predicts a continued sophistication of image-based spam techniques. In 2007, new forms of image-based spam will likely be developed to evade protection solutions that have been created to combat early forms of image-based spam seen in the wild.

This latest report from X-Force also points to new methods being used by attackers to avoid detection by commercial security solutions. In 2006, malware continued to become less distinct in its categorization, instead borrowing characteristics from other successful forms of malware. As such, the classical groups of virus, rootkit, spyware and other categories typically used by the security industry to differentiate standalone protection products will be much less relevant in 2007.

In 2006, X-Force also observed considerable Web browser exploitation and a strong increase in the use of Web exploit obfuscation ob·fus·cate
tr.v. ob·fus·cat·ed, ob·fus·cat·ing, ob·fus·cates
1. To make so confused or opaque as to be difficult to perceive or understand: "A great effort was made . . . and encryption to make it difficult for signature-based intrusion detection See IDS and IPS. and prevention products to detect attacks. X-Force data indicates that approximately 50 percent of Web sites hosting exploit material designed to infect browsers now obfuscate To make unclear or confuse. See obfuscator and e-mail obfuscator. , or camouflage, their attack, with approximately 30 percent encrypting their payload.

The X-Force has been cataloguing, analyzing and researching vulnerability disclosures since 1997. With more than 30,000 security vulnerabilities catalogued, it has the largest vulnerability database in the world. This unique database helps X-Force researchers to understand the dynamics that make up vulnerability discovery and disclosure. In addition to the vulnerabilities catalogued in its X-Force database, IBM ISS content filtering See Web filtering and parental control software. services are designed to provide a world-encompassing view of spam and phishing attacks. With millions of e-mail addresses actively monitored, ISS has identified numerous advances in the spam and phishing technologies used by online attackers.

During 2005 and 2006, X-Force data indicates that the use of image-based spam increased rapidly, accounting for more than 40 percent of spam messages at the end of 2006. This issue quickly became one of the biggest challenges in spam-fighting for 2006 since it is difficult for spam blockers that rely on content identification to decode text embedded within images.

The X-Force report also discusses the following key security statistics for 2006, among others:

* Within the last year, the volume of spam has increased by 100 percent over what ISS reported in 2005.

* The U.S., Spain and France are the three largest originators of spam worldwide.

* After English, German is the most popular language in which spam messages are written. (X-Force predicts that as computer users become more savvy at detecting and deleting spam, spammers will increasingly localize lo·cal·ize
v. lo·cal·ized, lo·cal·iz·ing, lo·cal·iz·es

v.tr.
1. To make local: decentralize and localize political authority.

2. their messages in languages other than English LOTE or Languages Other Than English is the name given to language subjects at Australian schools. LOTEs have often historically been related to the policy of multiculturalism, and tend to reflect the predominant non-English languages spoken in a school's local area, the to improve the rate at which they are opened.)

* The most popular subject line for spam in 2006 was "Re: hi."

* South Korea accounts for the highest source of phishing e-mails.

* The largest threat category of malware in 2006 was Downloaders, accounting for 22 percent of all malware. (A Downloader is a piece of low-profile malware that installs itself on machines for the purpose of later downloading a more sophisticated malware agent.)

* The most popular exploit used on the Internet to infect Web browsers with malware was for Microsoft's MS-ITS vulnerability (MS04-013), disclosed in 2004.

* The busiest month in 2006 for vulnerability disclosure was June, while the busiest week was the week before Thanksgiving and the most popular day of the week to disclose vulnerabilities was Tuesday.

In 2007, IBM also expects to see a continued rise in the total number of vulnerabilities, largely due to the release of new operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. . While the new operating systems include more security functions than previous versions and have undergone extensive security audits, their sheer complexity will likely introduce new vulnerabilities. In addition, the synchronized release of new and updated third-party products that support new operating systems will likely contribute to a record year for vulnerabilities in 2007.

For more security trends and predictions from IBM, including graphical representations of security statistics, please access the full IBM X-Force 2006 Trend Statistics report at: http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf

About IBM Internet Security Systems

IBM Internet Security Systems is the trusted security advisor to thousands of the world's leading businesses and governments, providing pre-emptive pre·emp·tive or pre-emp·tive
adj.
1. Of, relating to, or characteristic of preemption.

2. Having or granted by the right of preemption.

3.
a. protection for networks, desktops and servers. An established leader in security since 1994, the IBM Proventia[R] integrated security platform is designed to automatically protect against both known and unknown threats, helping to keep networks up and running and shielding customers from online attacks before they impact business assets. IBM Internet Security Systems products and services are based on the proactive security intelligence of its X-Force[R] research and development team - the unequivocal world authority in vulnerability and threat research. The Internet Security ''This article or section is being rewritten at

Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. Systems product line is also complemented by comprehensive Managed Security Services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the and Professional Security Services. For more information, visit the Internet Security Systems Web site at www.iss.net or call 800-776-2362.

Internet Security Systems is a trademark and Proventia and X-Force are registered trademarks of International Business Machines Corporation in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , other countries, or both. All other companies and products mentioned are trademarks and property of their respective owners.

COPYRIGHT 2007 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.

Reader Opinion

Article Details
Printer friendly Cite/link Email Feedback
Publication:	Business Wire
Date:	Jan 30, 2007
Words:	1196
Previous Article:	Information Builders Releases WebFOCUS Magnify, a Service-Oriented Approach to Search Technology.
Next Article:	PlayBox Technology and Stradis Ink Distribution Agreement.
Topics:	Computer software industry Reports Software Reports Software industry Reports Web browsers Reports

Related Articles
Ask FERF (financial executives research foundation) about ... IT security.(resources)
Internet Risk Impact Summary Report for Q3 2003.(Security)
BRIEFCASE CHEROKEE PROFIT ROSE SLIGHTLY.(Business)
93% website apps vulnerable after 'fixing'.(News)
Study Shows That Slow Response Leaves Mobile Users Most Vulnerable to Security Threats.
IBM Internet Security Systems shields customers from critical Microsoft vulnerabilities.(Security News and Products)
IBM Internet Security Systems predicts security trends for 2007.(Security News and Products)
Security news and products; IBM internet security systems X-Force research team predicts security trends for 2007.(SOFTWARE WORLD DIGEST)
Internet Security Systems report.(Security News and Products)
Security and products; ISS helps safeguard customers.(SOFTWARE WORLD DIGEST)