[ISN] IBM Researchers Predict More Vulnerabilities in '07

From: InfoSec News (alerts@private)
Date: Tue Jan 30 2007 - 23:11:49 PST


By Matt Hines
January 30, 2007

New research indicates that enterprises will continue to grapple with 
long lists of dangerous software vulnerabilities during 2007, with 
experts at IBM predicting continued growth in the number of flaws found 
in popular products over the next twelve months.

According to a report published by IBM's ISS (Internet Security Systems) 
X-Force research team on Jan. 30, the group observed just under 7,250 
vulnerabilities during calendar 2006, which breaks down to an average of 
20 new software flaws being isolated every day, and represents a 40 
percent increase over the number of vulnerabilities discovered during 

Perhaps even more imposing is the researchers' contention that more than 
88 percent of the newly-found vulnerabilities in '06 could be exploited 
remotely, an all-time high, with over 50 percent allowing hackers to 
gain access to devices after the flaws have been flaunted.

With the launch of high-profile new software systems such as Microsoft's 
Windows Vista operating system in 2007, the researchers with IBM, based 
in Armonk, N.Y., are predicting that the next twelve months could be 
even more threatening from a security standpoint.

While developers of Vista and other products are putting more effort 
into securing their code and eliminating security loopholes, the experts 
said that the sheer complexity of such programs will create even more 

Another mitigating factor will be the arrival of many new third-party 
products meant to run on Vista, the ISS team said, as well as the 
growing use among malware code writers of so-called fuzzing tools, which 
automate the process of ferreting out software loopholes.

As desktop security tools have stemmed the flow of malware programs 
arriving in e-mail in-boxes, the use of fuzzing tools has helped hackers 
isolate weaknesses in Web browsing software, making the Internet the top 
source of malware, said Gunter Ollmann, director of security strategy 
for IBM ISS.

"The script kiddies of old went off to university and learned how to 
build and use fuzzing programs, and they're taking that experience and 
applying it to uncover vulnerabilities in content-level applications," 
said Ollmann.

"While the amount of [malware] content making it through from e-mail has 
gone down, and the volume of payloads making it to the desktop without 
being filtered has dropped, attackers have honed into Web browser 
vulnerabilities and there's less protection out there for this sort of 
threat, even within enterprises."

Ollmann said that IBM's researchers believe that the use of fuzzers has 
led to the rise in malware programs that attack application 
vulnerabilities, and that the technique will continue to take root among 

Underground malware communities are taking full advantage of the 
newly-discovered flaws, and are using them to gain entry to devices and 
install other malware, he said.

"The script kiddies of old went off to university and learned how to 
build and use fuzzing programs, and they're taking that experience and 
applying it to uncover vulnerabilities in content-level applications," 
said Ollmann.

It has also become easier for attackers to use the vulnerabilities in 
browser programs to build engines on Web servers that detect what type 
of software an individual is using and then launch malware programs that 
can take advantage of applications with holes that they have discovered. 
The malware writers are also using people's IP address information to 
tailor the content they attempt to deliver to a certain target.

"If a malware site such as this sees Internet Explorer 6, they send 
something different than if they see IE 7; there's a lot of logic in 
these engines," Ollmann said. "The site will look at the first request 
the browser makes and then find the right payload to deliver when the 
browser makes a second request. It happens that fast."

The researcher said that malware communities are also sharing lists of 
IP addresses to find specific sets of targets to assail with their 
programs, and to help identify accounts used by security software makers 
to help detect new attacks and code variations.

Traditional signature-based anti-virus products, versus 
behavior-oriented tools, are still failing to stop even those threats 
aimed at well-known vulnerabilities, according to Ollman, who noted that 
the most popular exploit used to infect Web browsers with malware in 
2006 was the Microsoft MS-ITS vulnerability, first disclosed in 2004.

Over the course of 2006, June was the month that saw the highest volume 
of new software vulnerabilities, while the week before the Thanksgiving 
holiday was the busiest week of the year.

IBM reported that so-called downloaders, also known as Trojan Viruses, 
which install themselves and attempt to retrieve other malware programs, 
represented the most popular form of threat seen in '06, accounting for 
22 percent of all attacks.

Among the other findings highlighted in the report was news that the 
volume of spam increased by 100 percent during the last year, and that 
the United States, Spain and France were the three top sources of spam 

In a reflection of the number of experienced users and businesses run in 
Germany, German was the second most popular language for spam e-mails, 
Ollmann said, but the volume of spam written in English still represents 
approximately 92 percent of the messages.

In a nod to the art of simplicity, the most popular subject line for 
spam in 2006 was "Re: hi," according to the report. South Korea accounts 
for the highest source of phishing e-mails, according to the report, and 
Web sites that host pornographic or sex-related content represented 12 
percent of the Internet last year.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 30 2007 - 23:32:13 PST