Cyber-criminals are adopting new automation techniques and strategies that allow them to exploit vulnerabilities much faster than ever before, warns security specialist IBM X-Force.
X-Force operations manager Kris Lamb says organised criminals are implementing the tools on the Internet, while public exploit code, published by researchers, is now putting systems at risk.
X-Force’s latest report suggests that 94% of all browser-related online exploits occur within 24 hours of official vulnerability disclosure – zero-day attacks, which are on the Internet before people even know they have a vulnerability.
Lamb makes the point that the practice of disclosing exploit code along with a security advisory has been the accepted practice for years, but, since the report indicates that vulnerabilities disclosed by researchers are twice as likely to have zero-day exploit code published a new approach is needed.
“The two major themes in the first half of 2008 were acceleration and proliferation,” explains Lamb. “We see a considerable acceleration in the time a vulnerability is disclosed to when it is exploited, with an accompanying proliferation of vulnerabilities overall.
“Without a unified process for disclosing vulnerabilities, the research industry runs the risk of fuelling online criminal activity. There’s a reason why X-Force doesn’t publish exploit code for the vulnerabilities we have found – and perhaps it is time for others to reconsider this practice.”
Other key findings: browser plug-ins are the newest target-of-choice, taking over from operating systems, with 78% of exploits targeting browser plug-ins in the first six months of 2008.
Meanwhile, one-off manual attacks are growing into massive automated attacks, with more than half of vulnerability disclosures related to web server applications, while SQL injection vulnerabilities jumped from 25% in 2007 to 41% of all web server application vulnerabilities in the first half of 2008.